W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2013

Re: SEC Consult's "CSP Bypasses"

From: Mike West <mkwst@google.com>
Date: Thu, 18 Jul 2013 10:52:43 +0200
Message-ID: <CAKXHy=c+ehbB7=F=f2CoPbj0qj1oZAM8XQOQujf3YqwyWuLsSw@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jul 17, 2013 at 9:24 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 7/17/13 2:50 PM, Anne van Kesteren wrote:
>> How is this not frame-src? Or is this about top-level? What's the
>>>> scenario there?
>>> The scenario is injection causing automagical top-level navigation.
>>> That's
>>> why `script-src 'unsafe-inline'` seems like a quasi-decent fit, and why
>>> `frame-src` doesn't seem relevant enough. *shrug*
>> I meant the attack scenario. If it's a top-level navigation there's no
>> same-origin concern. There would be if it happened inside an <iframe>.
> I'm not sure I follow the toplevel-vs-iframe distinction here.  Why is
> there no same-origin concern with toplevel navigation?  Or are we assuming
> things like no ability to window.open from inside the frame before
> navigating the toplevel?

Same-origin or not, it seems valuable to prevent injections from taking
actions that the user couldn't anticipate. Injecting a meta tag can cause
navigation from a good origin to a bad origin, which makes phishing et al.
much simpler, even if the latter doesn't have access to the former.

Received on Thursday, 18 July 2013 08:53:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC