Re: Remove paths from CSP? from Pete Freitag on 2014-02-12 (public-webappsec@w3.org from February 2014)

From: Pete Freitag <pete@foundeo.com>
Date: Wed, 12 Feb 2014 11:18:44 -0500
To: Sigbjørn Vik <sigbjorn@opera.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Odin Hørthe Omdal <odinho@opera.com>, Adam Barth <w3c@adambarth.com>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <bhill@paypal-inc.com>, Michal Zalewski <lcamtuf@google.com>, Garrett Robinson <grobinson@mozilla.com>
Message-ID: <CAADZ8V66rH7UsapwH_LSwPJ9cKeNc9PN-wcLn7Pvt4fcQ9AC6g@mail.gmail.com>

On Wed, Feb 12, 2014 at 8:02 AM, Sigbjørn Vik <sigbjorn@opera.com> wrote:

> That should be fairly easy. Even if blocked, call onload, and return the
>  image dimensions to the page. That is all a page can detect anyway.
>

An issue to consider with this approach is a CSRF attack vector. For
example if I have Content-Security-Policy: img-src 'images.example.com';
and the attacker injects the following:

<img src="
https://api.example.com/perform/some/csrf-vulerable/action/delete/all/things"
/>

CSP would have prevented it, but if you load blocked resources the CSRF
attack would still be successful.

--
Pete Freitag
http://content-security-policy.com/ - CSP Quick Reference

Received on Wednesday, 12 February 2014 16:19:32 UTC