I think it's both. If we can prevent the exfiltration of data, we can also prevent phishing attacks. CSP has done a great job solving this for us on many fronts -- allowing us to restrict XHR, JSONP, image and font requests. So it seems like its suitable for it to solve the navigation vector (of course, limited to iframes). We haven't encountered postMessage hacks yet by users, but given those are also an exfiltration mechanism, it seems like CSP would be a natural fit for this too (e.g., having a message-src like directive). A group is already implementing these two features for a specific system (see http://www.scs.stanford.edu/~deian/cowl.pdf), so that might be evidence that there are more folks besides me interested in these security restrictions. Thanks for talking through this with me! On Mon, Jun 30, 2014 at 4:10 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote: > > The concerning aspect of this is that it can be used for something like > > phishing attacks, to solicit and store user info. > > So as I understand it, you're not trying to prevent phishing as such, > but want to prevent the exfiltration of data by making an outgoing > request? > > I'm not sure this is something that CSP really solves (I think the > early Mozilla drafts might have aimed for something along these > lines). For most part, CSP doesn't really prevent already-running > JavaScript from using window.postMessage() to relay the data to > another window, etc. >
Received on Monday, 7 July 2014 02:52:24 UTC