- From: Hatter Jiang OWS <hatter@openwebsecurity.org>
- Date: Wed, 27 Aug 2014 22:06:14 +0800
- To: public-webappsec@w3.org
- Message-ID: <CABm0mE7BzfGeHTr12o_uY1cuUs==QykPvHbWRwU8cNJVXLUGYw@mail.gmail.com>
The JSONP call is used more and more on the websites, if the developer
offer a JSONP call like:
http://www.example.com/showuserinvo.jsonp?callback=ondisplayuserinfo
If you are logged in, the browser will send the cookie to the server, and
the server may return:
ondisplayuserinfo({"username": "Hatter Jiang", "email": "
test_mail@example.com"});
This JSONP can be used by other sites(like
http://evil.com/something_interesting.htm, and the most browser will allow
third party cookie by default):
<script type="text/javascript">
function ondisplayuserinfo(userInfo) {
// TODO collect user info here
}
</script>
<script type="text/javascript" src="
http://www.example.com/showuserinvo.jsonp?callback=ondisplayuserinfo
"></script>
So the JSONP may very unsafe and cause user info leak, we can resolve this
issue by using CSRF token checking,
we should add CSRF check at the server side, but it may take a long term to
resolve it.
And according referrer-policy (http://www.w3.org/TR/referrer-policy/), the
referer may be not setted,
so we cannot resolve it simpley by referer checking.
If CSP can be set like this:
script-ancestors: *.example.com
Then the JSONP(actual script) call from evil.com will not take effect like
frame-ancestors's behavior.
Hatter Jiang
Received on Wednesday, 27 August 2014 14:06:51 UTC