Re: CSP Level 2 last call comment from Mike West on 2014-09-03 (public-webappsec@w3.org from September 2014)

From: Mike West <mkwst@google.com>
Date: Wed, 3 Sep 2014 15:04:23 +0200
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Brad Hill <hillbrad@gmail.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, "Hill, Brad" <bhill@paypal.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=f_--SEhoe10PnOh+3GwAEwXcTFnZAeoeDKTjDWkaY8rQ@mail.gmail.com>

I'm fairly certain that all modern browsers which don't implement
ancestorOrigins do implement the 'allow-from' extension to
'X-Frame-Options', which exposes the same information via the same
brute-force attack.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Wed, Sep 3, 2014 at 3:00 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Sep 3, 2014 at 2:31 PM, Mike West <mkwst@google.com> wrote:
> > Ok. That sounds reasonable. I suppose an attacker who had already gotten
> a
> > frame onto a page could embed a frame in that frame that could iterate
> > through possible URLs. Since we already expose origins via
> > `window.location.ancestorOrigins`, there's no additional risk in the
> origin
> > case.
> >
> > WDYT of
> >
> https://github.com/w3c/webappsec/commit/bdc66b7b704a944f4b0a03cfc79fb91c6fa31d65
> ?
>
> As far as I can tell ancestorOrigins is a proprietary extension. Until
> that changes you might be introducing a hole here for browsers that do
> not implement it?
>
>
> --
> http://annevankesteren.nl/
>

Received on Wednesday, 3 September 2014 13:05:15 UTC