- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 13 Feb 2014 09:20:46 -0800
- To: public-webappsec@w3.org
On 2/12/2014 8:18 AM, Pete Freitag wrote: > An issue to consider with this approach is a CSRF attack vector. For > example if I have Content-Security-Policy: img-src 'images.example.com > <http://images.example.com>'; and the attacker injects the following: > > <img > src="https://api.example.com/perform/some/csrf-vulerable/action/delete/all/things" > /> > > CSP would have prevented it, but if you load blocked resources the CSRF > attack would still be successful. In most attack scenarios CSP was designed for if you can inject an <img> tag you can probably get the user to load that URL in some other way (maybe not stored XSS where the attacker only indirectly interacts with the victim). CSP was not designed to prevent CSRF; it's not surprising that it fails to do so. -Dan Veditz
Received on Thursday, 13 February 2014 17:21:15 UTC