On 2009-06-23, Bil Corry <[email protected]> wrote: > Serge van den Boom wrote on 6/23/2009 3:48 PM: >> On 2009-06-23, Bil Corry <[email protected]> wrote: >>> Serge van den Boom wrote on 6/23/2009 8:13 AM: >>>> However, by injecting an X-Content-Security-Policy header with the >>>> policy-uri set to the vulnerable URL, the web client can be tricked >>>> into visiting the vulnerable URL. >>> It would only work for those pages where a X-Content-Security-Policy >>> header has not already been set -- additional >>> X-Content-Security-Policy headers are ignored. >> >> The injected header could be the first one though, with the genuine >> header being ignored. > > True, but the attacker could simply split the header and issue a > redirect to any page they desire and skip trying to exploit CSP > entirely.
If you are thinking of adding a Location header: that shouldn't have any effect unless you have a 3xx status code, which you can't influence with a header injection. However, the attacker could end the header in their injection, and add a body of their own -- this was in fact what I was thinking of when I wrote "when it does occur, often also easier to execute attacks are conceivable." in my original posting. But it is conceivable that the header injection vulnerability only allows for the insertion of a small number of characters. In this case, CSP does actually make an exploit possible which wasn't otherwise realizable. Though I agree that the likelihood of these circumstances occurring in practice is low. Still, the risk can be eliminated completely, if the loss of flexibility is deemed acceptable. >>> But beyond that, the proposed "Link" header would provide the same >>> attack surface, and can not be restricted to a known URI: >> >> I was not familiar with that proposal, but skimming through it, it >> appears that these links are not resolved automatically, making this >> header less interesting for attackers. The same goes for the standard >> "Content-Location" header. > > Section 5 indicates it's "semantically equivalent to the <LINK> > element in HTML" -- so presumably that means the browser will retrieve > a stylesheet specified by the header before rendering the page. I see. If that is implemented in all browsers which implement CSP, then that would indeed make the CSP attack vector less interesting. Serge _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
