Re: Remove paths from CSP? from Mike West on 2014-02-12 (public-webappsec@w3.org from February 2014)

From: Mike West <mkwst@google.com>
Date: Wed, 12 Feb 2014 10:49:59 +0100
To: "Eduardo' Vela" <evn@google.com>
Cc: Brad Hill <bhill@paypal-inc.com>, Michal Zalewski <lcamtuf@google.com>, Odin Hørthe Omdal <odinho@opera.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>, Garrett Robinson <grobinson@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
Message-ID: <CAKXHy=e12yOtzqHDd+59ZOPEjDrkm9vbVxZRe04eNxFT2NaQUQ@mail.gmail.com>

On Wed, Feb 12, 2014 at 9:59 AM, Eduardo' Vela" <Nava> <evn@google.com>wrote:

> To clarify.
>
> If anyone whitelists www.google.com then they will whitelist
>
> <script src="
> https://www.google.com/news/feed?output=jsonp&callback=document.forms[0].elements[3].click
> ">
>
> Which if done in sequence can be used to click all buttons in the UI, and
> do XSS-like attacks.
>
> We called this attack reverse clickjacking :-P
>

I agree with you that preserving paths for scripts would be useful. I
disagree that a lack of paths would make CSP unusable for Google, just less
effective.

Would limiting paths to 'script-src' and 'style-src' leave the same leakage
potential? I suspect it would, but I'd need to test <script>'s behavior
cross-browser.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Wednesday, 12 February 2014 09:50:48 UTC