> class) can give people power to do surprising things (e.g. internal > network ping sweeping, user history enumeration respectively).
Isn't the ping sweeping threat already taken care of by CSP? No requests to internal networks will be honored as they won't be allowed by the policy. (although its not a threat present in the threat model for CSP ) Regarding , History enumeration -- I don't see why it should be part of CSP. A separate header - X-Safe-History can be used. Cheers Devdatta On Oct 19, 6:43 am, Johnathan Nightingale <john...@mozilla.com> wrote: > On 19-Oct-09, at 7:34 AM, Gervase Markham wrote: > > > On 15/10/09 22:20, Brandon Sterne wrote: > >> IOW, we need to decide if webpage defacement via injected style is in > >> the treat model for CSP and, if so, then we need to do B. > > > Is it just about defacement, or is it also about the fact that CSS > > can bring in behaviours etc? > > > If it's about defacement, then there's no set of "non-dangerous > > stylesheet constructs", and you can ignore my C. I think that, > > without executing JS code support, the successful attacks you could > > mount using CSS are limited. I guess you might put a notice on the > > bank website: "Urgent! Call this number and give them all your > > personal info!"... > > Not as limited as you might like. Remember that even apparently non- > dangerous constructs (e.g. background-image, the :visited pseudo > class) can give people power to do surprising things (e.g. internal > network ping sweeping, user history enumeration respectively). > > J > > --- > Johnathan Nightingale > Human Shield > john...@mozilla.com _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
