Re: Remove paths from CSP?

On 2/12/2014 8:18 AM, Pete Freitag wrote:
> An issue to consider with this approach is a CSRF attack vector. For
> example if I have Content-Security-Policy: img-src '
> <>'; and the attacker injects the following:
> <img
> src=""
> />
> CSP would have prevented it, but if you load blocked resources the CSRF
> attack would still be successful.

In most attack scenarios CSP was designed for if you can inject an <img>
tag you can probably get the user to load that URL in some other way
(maybe not stored XSS where the attacker only indirectly interacts with
the victim).

CSP was not designed to prevent CSRF; it's not surprising that it fails
to do so.

-Dan Veditz

Received on Thursday, 13 February 2014 17:21:15 UTC