W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: CSP: 'no-external-navigation'?

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sun, 6 Jul 2014 21:56:25 -0700
Message-ID: <CALx_OUCo+FXdL2wAkCv99YFENyMsPHZxNdZCAZgzF2VbZinOaQ@mail.gmail.com>
To: pamela fox <pamela.fox@gmail.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> I think it's both. If we can prevent the exfiltration of data, we can also
> prevent phishing attacks.

Well, not per se - you still allow scripts that may ask the users for
their credentials and such; you're just hoping that they won't be able
to hand these over to a remote server or other document, right?

Unfortunately, the latter, I think, is probably ~impossible :-(
postMessage() is just one example, but there is a multitude of ways
that JavaScript in a sandbox can communicate with the outside world
without navigation or direct requests; for example, it's fairly
straightforward to relay messages by modulating CPU load, by putting
them in window.name or similar places, etc. There have been quite a
few academic papers that hinged on the assumption that such side
channels do not exist or can be suppressed reliably, but I haven't seen
anything that would seem realistic, TBH :-(

( In fact, the earliest experiment back in Netscape Navigator days is
probably http://docstore.mik.ua/orelly/web/jscript/ch20_04.html )

Received on Monday, 7 July 2014 04:57:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC