Re: SEC Consult's "CSP Bypasses"

On Wed, Jul 17, 2013 at 9:24 PM, Boris Zbarsky <> wrote:

> On 7/17/13 2:50 PM, Anne van Kesteren wrote:
>> How is this not frame-src? Or is this about top-level? What's the
>>>> scenario there?
>>> The scenario is injection causing automagical top-level navigation.
>>> That's
>>> why `script-src 'unsafe-inline'` seems like a quasi-decent fit, and why
>>> `frame-src` doesn't seem relevant enough. *shrug*
>> I meant the attack scenario. If it's a top-level navigation there's no
>> same-origin concern. There would be if it happened inside an <iframe>.
> I'm not sure I follow the toplevel-vs-iframe distinction here.  Why is
> there no same-origin concern with toplevel navigation?  Or are we assuming
> things like no ability to from inside the frame before
> navigating the toplevel?

Same-origin or not, it seems valuable to prevent injections from taking
actions that the user couldn't anticipate. Injecting a meta tag can cause
navigation from a good origin to a bad origin, which makes phishing et al.
much simpler, even if the latter doesn't have access to the former.


Received on Thursday, 18 July 2013 08:53:31 UTC