W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2013

Re: SEC Consult's "CSP Bypasses"

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 17 Jul 2013 11:50:04 -0700
Message-ID: <CADnb78ivpauG-Zj9Ncrgs1+QVADaAf4VHaxtcUV_B-1dGCsMng@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jul 17, 2013 at 10:36 AM, Mike West <mkwst@google.com> wrote:
> On Wed, Jul 17, 2013 at 7:04 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> Isn't frame-src closer?
> Might be, yes. `connect-src` seemed more apt, since prefetching is invisible
> to the user in ways that frames generally aren't, but I'm not strongly tied
> to either.

My rationale for frame-src is that preloading would execute scripts,
whereas doing an XMLHttpRequest or EventSource would not.

>> How is this not frame-src? Or is this about top-level? What's the
>> scenario there?
> The scenario is injection causing automagical top-level navigation. That's
> why `script-src 'unsafe-inline'` seems like a quasi-decent fit, and why
> `frame-src` doesn't seem relevant enough. *shrug*

I meant the attack scenario. If it's a top-level navigation there's no
same-origin concern. There would be if it happened inside an <iframe>.
Navigating the user to a data URL or a different domain over http
seems about the same...

Received on Wednesday, 17 July 2013 18:50:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC