Serge van den Boom wrote on 6/23/2009 3:48 PM: > On 2009-06-23, Bil Corry <b...@corry.biz> wrote: >> Serge van den Boom wrote on 6/23/2009 8:13 AM: >>> However, by injecting an X-Content-Security-Policy header with the >>> policy-uri set to the vulnerable URL, the web client can be tricked into >>> visiting the vulnerable URL. >> It would only work for those pages where a X-Content-Security-Policy >> header has not already been set -- additional >> X-Content-Security-Policy headers are ignored. > > The injected header could be the first one though, with the genuine > header being ignored.
True, but the attacker could simply split the header and issue a redirect to any page they desire and skip trying to exploit CSP entirely. >> But beyond that, the proposed "Link" header would provide the same >> attack surface, and can not be restricted to a known URI: > > I was not familiar with that proposal, but skimming through it, it > appears that these links are not resolved automatically, making this > header less interesting for attackers. The same goes for the standard > "Content-Location" header. Section 5 indicates it's "semantically equivalent to the <LINK> element in HTML" -- so presumably that means the browser will retrieve a stylesheet specified by the header before rendering the page. - Bil _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
