W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2013

Re: SEC Consult's "CSP Bypasses"

From: Mike West <mkwst@google.com>
Date: Thu, 18 Jul 2013 17:03:31 +0200
Message-ID: <CAKXHy=c89VmQVv8=4o4SCZdyC-Ndu2=Lex482388xeP74=K5Hg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jul 17, 2013 at 8:50 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> >> How is this not frame-src? Or is this about top-level? What's the
>  >> scenario there?
> >
> > The scenario is injection causing automagical top-level navigation.
> That's
> > why `script-src 'unsafe-inline'` seems like a quasi-decent fit, and why
> > `frame-src` doesn't seem relevant enough. *shrug*
> I meant the attack scenario. If it's a top-level navigation there's no
> same-origin concern. There would be if it happened inside an <iframe>.
> Navigating the user to a data URL or a different domain over http
> seems about the same...

As another data point, sandboxed iframes block meta refresh if automatic
features aren't allowed via 'allow-script'[1]. That seems like a good
argument for tying this to 'script-src'.


Received on Thursday, 18 July 2013 15:04:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC