- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 22 Jun 2012 23:10:48 +0000 (UTC)
- To: Adam Barth <w3c@adambarth.com>
- Cc: whatwg <whatwg@lists.whatwg.org>
On Mon, 7 May 2012, Adam Barth wrote: > > == Summary == > > When creating a srcdoc document, we need to be careful to avoid > introducing a Content-Security-Policy loophole. > > == Details == > > Consider a document with the following Content-Security-Policy: > > Content-Security-Policy: default-src 'none'; frame-src * > > Now, imagine the following injection vulnerability in index.php: > > <body>Hello <?=$username?></body> > > This Content-Security-Policy is supposed to prevent the attacker from > being able to inject script into index.php. However, consider the > following value for $username: > > $username = '<iframe > srcdoc="<script>alert(parent.document.cookie);</script>"></iframe>'; > > In this case, we could get in trouble if the user agent doesn't > enforce the parent document's Content-Security-Policy on the srcdoc > document because the user agent copies the parent document's origin > unto the child document. > > == Proposal == > > When creating a srcdoc document, in the same way that we copy the > parent document's origin onto the child document, we should: > > 1) /enforce/, on the srcdoc document, all CSP policies currently being > enforced on the parent document. > 2) /monitor/, on the srcdoc document, all CSP policies currently being > monitored on the parent document. > > Please see <http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html> > for definitions of these terms. How is this different from the same attack but with: $username = '<iframe src="data:text/html,<script>alert(parent.document.cookie);</script>"></iframe>';> ..., or: $username = '<iframe src="attacker-uploaded-file-without-csp.html"></iframe>';> ...? That is, why is srcdoc="" special here? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 22 June 2012 23:11:23 UTC