W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 13 Feb 2014 09:20:46 -0800
Message-ID: <52FCFEEE.9090801@mozilla.com>
To: public-webappsec@w3.org
On 2/12/2014 8:18 AM, Pete Freitag wrote:
> An issue to consider with this approach is a CSRF attack vector. For
> example if I have Content-Security-Policy: img-src 'images.example.com
> <http://images.example.com>'; and the attacker injects the following:
> 
> <img
> src="https://api.example.com/perform/some/csrf-vulerable/action/delete/all/things"
> />
> 
> CSP would have prevented it, but if you load blocked resources the CSRF
> attack would still be successful.

In most attack scenarios CSP was designed for if you can inject an <img>
tag you can probably get the user to load that URL in some other way
(maybe not stored XSS where the attacker only indirectly interacts with
the victim).

CSP was not designed to prevent CSRF; it's not surprising that it fails
to do so.

-Dan Veditz
Received on Thursday, 13 February 2014 17:21:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC