W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2016

Re: [whatwg] How can a server or serverside script identify if a request is from a page, iframe or xhr?

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Tue, 1 Nov 2016 10:02:22 -0400
To: whatwg@lists.whatwg.org
Message-ID: <1bb76531-3464-2a8f-515d-1e58299187da@mit.edu>
On 11/1/16 6:36 AM, Roger H├ągensen wrote:
> Wait, are you saying that ContentSecurityPolicy can't be relied upon?

It depends on your threat model.

Content security policy is a tool that allows a web page to defend 
itself and its users from cross-site script injection attacks and the 
like.  A fundamental assumption here is that the user is NOT the 
attacker, and hence the user's browser is cooperating with the web page 
to protect the user.  It's a perfectly fine tool for the "user and page 
author are cooperating" threat model.

If, on the other hand, your threat model includes attacks by the _user_ 
on your server, you absolutely can't rely on CSP to defend against that. 
  Most simply, the user can use a browser that doesn't support CSP.  For 
addressing this class of attacks, you _have_ to rely on a completely 
server-side solution, because by assumption the client (the browser) is 
the attacker in this situation.

-Boris
Received on Tuesday, 1 November 2016 14:02:56 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 November 2016 14:02:56 UTC