W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Mike West <mkwst@google.com>
Date: Wed, 12 Feb 2014 11:21:26 +0100
Message-ID: <CAKXHy=ccJkLTXrfaerW_Tenmdbtw64oA8HRsfLotF8UauXKV7g@mail.gmail.com>
To: Michal Zalewski <lcamtuf@google.com>
Cc: "Eduardo' Vela" <evn@google.com>, Brad Hill <bhill@paypal-inc.com>, Odin Hørthe Omdal <odinho@opera.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>, Garrett Robinson <grobinson@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
On Wed, Feb 12, 2014 at 10:57 AM, Michal Zalewski <lcamtuf@google.com>wrote:

> But if almost all of our applications need to whitelist the entire
>  https://www.google.com/ as a permissible source for scripts, then...
> well, "less effective" is probably a very polite way of putting it,
> because there are dozens of essential public APIs that would
> effectively permit attackers to effectively execute nearly-arbitrary
> JS :-) Another example:
> https://www.google.com/jsapi?callback=foo[1].bar


Happily, I'm not on Google's infra security team, so I can suggest that
Google should be more careful about a) scoping APIs to origins, and b) not
allowing arbitrary callbacks, while remaining blissfully unaware of the
work that would be involved in doing so. :)

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 12 February 2014 10:22:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC