Hi, If I'm not mistaken, there is a hypothetical situation where CSP can be used to the benefit of an attacker. Consider the scenario where: * the website contains a stored header injection vulnerability, * the website contains a XSRF vulnerability, and * the web client supports CSP.
To exploit a XSRF vulnerability, an attacker needs some way to direct the web client to the vulnerable URL. This usually requires a social engineering attack or a XSS vulnerability. A (stored) header injection vulnerability is generally not enough. However, by injecting an X-Content-Security-Policy header with the policy-uri set to the vulnerable URL, the web client can be tricked into visiting the vulnerable URL. In practice, this scenario will not often occur, as stored header injections are rare. And when it does occur, often also easier to execute attacks are conceivable. Still, there is a small risk. A solution to this problem would be to require the policy document to have a fixed location on the website, instead of allowing it to be specified through a URI. Regards, Serge _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security