- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 7 May 2012 11:18:09 -0700
== Summary == When creating a srcdoc document, we need to be careful to avoid introducing a Content-Security-Policy loophole. == Details == Consider a document with the following Content-Security-Policy: Content-Security-Policy: default-src 'none'; frame-src * Now, imagine the following injection vulnerability in index.php: <body>Hello <?=$username?></body> This Content-Security-Policy is supposed to prevent the attacker from being able to inject script into index.php. However, consider the following value for $username: $username = '<iframe srcdoc="<script>alert(parent.document.cookie);</script>"></iframe>'; In this case, we could get in trouble if the user agent doesn't enforce the parent document's Content-Security-Policy on the srcdoc document because the user agent copies the parent document's origin unto the child document. == Proposal == When creating a srcdoc document, in the same way that we copy the parent document's origin onto the child document, we should: 1) /enforce/, on the srcdoc document, all CSP policies currently being enforced on the parent document. 2) /monitor/, on the srcdoc document, all CSP policies currently being monitored on the parent document. Please see <http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html> for definitions of these terms. Thanks! Adam
Received on Monday, 7 May 2012 11:18:09 UTC