On Feb 12, 2014 2:21 AM, "Mike West" <mkwst@google.com> wrote:
>
> On Wed, Feb 12, 2014 at 10:57 AM, Michal Zalewski <lcamtuf@google.com>
wrote:
>>
>> But if almost all of our applications need to whitelist the entire
>> https://www.google.com/ as a permissible source for scripts, then...
>> well, "less effective" is probably a very polite way of putting it,
>> because there are dozens of essential public APIs that would
>> effectively permit attackers to effectively execute nearly-arbitrary
>> JS :-) Another example:
>> https://www.google.com/jsapi?callback=foo[1].bar
>
>
> Happily, I'm not on Google's infra security team, so I can suggest that
Google should be more careful about a) scoping APIs to origins, and b) not
allowing arbitrary callbacks, while remaining blissfully unaware of the
work that would be involved in doing so. :)
Before CSP it was perfectly reasonable to have JSONP APIs, and there wasn't
a reason to separate them.
Also, looking at this problem from an outsider's perspective. If I want to
use some API, how can I know if the third party origin I'm white listing
has no JSONP APIs?
Having path support means there is a way to be in less risk of introducing
vulnerable policies.
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>