W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: CSP: 'no-external-navigation'?

From: pamela fox <pamela.fox@gmail.com>
Date: Sun, 6 Jul 2014 19:51:57 -0700
Message-ID: <CAEVChv38ihxBH5qUzCSgEBx_RceHwQvmZMWgBy_xuuBL4uH6tg@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I think it's both. If we can prevent the exfiltration of data, we can also
prevent phishing attacks.

CSP has done a great job solving this for us on many fronts -- allowing us
to restrict XHR, JSONP, image and font requests. So it seems like its
suitable for it to solve the navigation vector (of course, limited to
iframes).

We haven't encountered postMessage hacks yet by users, but given those are
also an exfiltration mechanism, it seems like CSP would be a natural fit
for this too (e.g., having a message-src like directive).

A group is already implementing these two features for a specific system
(see http://www.scs.stanford.edu/~deian/cowl.pdf), so that might be
evidence that there are more folks besides me interested in these security
restrictions.

Thanks for talking through this with me!


On Mon, Jun 30, 2014 at 4:10 PM, Michal Zalewski <lcamtuf@coredump.cx>
wrote:

> > The concerning aspect of this is that it can be used for something like
> > phishing attacks, to solicit and store user info.
>
> So as I understand it, you're not trying to prevent phishing as such,
> but want to prevent the exfiltration of data by making an outgoing
> request?
>
> I'm not sure this is something that CSP really solves (I think the
> early Mozilla drafts might have aimed for something along these
> lines). For most part, CSP doesn't really prevent already-running
> JavaScript from using window.postMessage() to relay the data to
> another window, etc.
>
Received on Monday, 7 July 2014 02:52:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC