- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Wed, 27 Aug 2014 22:02:40 -0700
- To: Hatter Jiang OWS <hatter@openwebsecurity.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi
Does CORS solve this use case more securely? I understand that CORS is not
available on all browsers, but any browser that might implement the
proposal you mention already supports CORS. I can't imagine a browser
that doesn't support CORS but will support CSP v2.next
thanks
Dev
On 27 August 2014 07:06, Hatter Jiang OWS <hatter@openwebsecurity.org> wrote:
> The JSONP call is used more and more on the websites, if the developer offer
> a JSONP call like:
>
> http://www.example.com/showuserinvo.jsonp?callback=ondisplayuserinfo
>
> If you are logged in, the browser will send the cookie to the server, and
> the server may return:
>
> ondisplayuserinfo({"username": "Hatter Jiang", "email":
> "test_mail@example.com"});
>
> This JSONP can be used by other sites(like
> http://evil.com/something_interesting.htm, and the most browser will allow
> third party cookie by default):
>
> <script type="text/javascript">
> function ondisplayuserinfo(userInfo) {
> // TODO collect user info here
> }
> </script>
> <script type="text/javascript"
> src="http://www.example.com/showuserinvo.jsonp?callback=ondisplayuserinfo"></script>
>
> So the JSONP may very unsafe and cause user info leak, we can resolve this
> issue by using CSRF token checking,
> we should add CSRF check at the server side, but it may take a long term to
> resolve it.
>
> And according referrer-policy (http://www.w3.org/TR/referrer-policy/), the
> referer may be not setted,
> so we cannot resolve it simpley by referer checking.
>
> If CSP can be set like this:
>
> script-ancestors: *.example.com
>
> Then the JSONP(actual script) call from evil.com will not take effect like
> frame-ancestors's behavior.
>
>
> Hatter Jiang
Received on Thursday, 28 August 2014 05:03:27 UTC