Re: CSP header protection from Xiaoyin Liu on 2016-02-03 (public-webappsec@w3.org from February 2016)

From: Xiaoyin Liu <xiaoyin.l@outlook.com>
Date: Thu, 4 Feb 2016 00:57:36 +0800
To: Kepeng Li <kepeng.lkp@alibaba-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <BAY405-EAS38874B2FF6CE9AAB80BFB02FFD00@phx.gbl>

Hi,

I don’t think plugins should be prohibited from modifying CSP headers. There may be some plugins modifying CSP to enhance the security, such as to block mixed content on HTTPS pages. Also there are ways for malicious servers to abuse CSP to probe users’ information on other domains, so plugins can theoretically protect users from these attacks by removing malicious CSP rules.

Best,
Xiaoyin Liu




From: Kepeng Li
Sent: Wednesday, February 3, 2016 23:19
To: public-webappsec@w3.org
Subject: CSP header protection

Hello all,

We find that some plugins can modify the content of the HTTP CSP response header or even delete the whole CSP header. In this way, plugins can inject the web contents, and this will introduce some security problems.

I searched the archive, this issue was also raised about CSP 1.1 two years ago:
https://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0165.html

We propose to add some texts in the CSP spec to emphasize that the CSP header must not be modified or deleted by the browser or plugins, to avoid this situation.

What do you think?

Thanks,

Kind Regards

Kepeng Li
Alibaba Group

Received on Wednesday, 3 February 2016 16:58:38 UTC