Re: SEC Consult's "CSP Bypasses" from Devdatta Akhawe on 2013-07-24 (public-webappsec@w3.org from July 2013)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 23 Jul 2013 19:51:02 -0700
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPfop_1QxD5Y1TUzKPf1x_AZ7xhwco2FnXpYVJ7UYcAQXGaB_A@mail.gmail.com>

Hi Mike

> #1: Prerendering/prefetching: Injecting `<link id=1 rel="prerender"
> href="http://example.com/">` can cause a credential request to be made on a
> user's behalf. The author suggests that `connect-src` should control this
> behavior: I think I agree, even though it's not a perfect fit.

I suggest not doing anything about this.

If I am not wrong, http://example.com is only pre-rendered. Arbitrary
script execution only occurs in the context of this new page, and has
nothing to do with the page with CSP. An attacker could also just show
a link to example.com and, with appropriately interesting text, entice
a user to click on it.

Maintaining arbitrary data confinement, afaik, is not a goal of CSP.
For example, anchor tags, postMessage, and window.open (mentioned by
Boris) are some things that CSP doesn't say anything about. My
understanding is that CSP's primary goal is to mitigate XSS and
control what things can show up on a page with CSP protections. Thus,
img-src and frame-src and so on.

Looking ahead, if the WG thinks controlling network loads (and thus,
some sort of data-confinement) is a goal, then CSP seems like the
wrong mechanism for it. Alex Russel's fantastic Navigation Controller
proposal seems like a much better fit.

Finally, I don't think connect-src should cover this. I might want to
pre-render a link to untrusted.com, but not use it for XHRs?
connect-src semantics seem to be "source of network fetches used in
scripts". Prerender/prefetching is not that.


> #2: `<meta refresh>`: Injecting a meta tag that refreshes to a data URL can
> cause script to execute. It won't be same-origin with the page into which it
> was injected, but depending on the script, it could be a phishing vector,
> etc.

for the same reason as above, I suggest not doing anything about this.
If anything, maybe we can just make CSPified pages not follow meta
refresh since it is a hack and there are far cleaner ways of doing
redirects.


thanks
Dev

Received on Wednesday, 24 July 2013 02:51:49 UTC