On Thu, Oct 22, 2009 at 10:15 AM, Mike Ter Louw <[email protected]> wrote: > I think this is a good start, and should be an option for sites that don't > want CSP to provide any other CSRF restrictions. I've added an additional > directive to the wiki, but it needs further definition.
I think it might be better to focus this module on the "forum poster" threat model. Instead of assuming the attacker can inject arbitrary content, we should limit the attacker to injecting content that is allowed by popular form sites (e.g., bbcode). At a first guess, I would limit the attacker to text, hyperlinks, and images. (And maybe bold / italics, if that matters.) On Thu, Oct 22, 2009 at 10:16 AM, Devdatta <[email protected]> wrote: > I don't understand. In each of the cases above, the attacker site will > not enable the directives and img requests or form requests from his > page will cause a CSRF to occur. We might decide to concern ourselves only with "zero click" attacks. Meaning that once the user has clicked on the attacker's content, all bets are off. If we imagine a 1% click-through rate, they we've mitigated 99% of the problem. On Thu, Oct 22, 2009 at 10:19 AM, Devdatta <[email protected]> wrote: > requiring it to implement this policy regardless of the running script > context would require the UA to maintain a cache of policies for each > site the user has visited. This is against the requirements of the > base module. And I for one am against any such type of caching > requirement in the UA. I agree that directives should affect only the current page. On Thu, Oct 22, 2009 at 10:31 AM, Mike Ter Louw <[email protected]> wrote: > For image CSRF, some protection would be required against redirection. > Either redirection must be disallowed, or anti-csrf needs to be enforced > for all redirections until the resource is located. But I'm not sure if > the latter is going to work if CSP policies are not composeable, and any > of the redirections or the image itself defines a CSP policy. I agree that cookieless-images should affect all redirects involved in loading the image. > Form requests to attacker.com would presumably be blocked, as > attacker.com isn't in |self| nor the whitelist. So the attacker won't > be able to direct the user to a page without anti-csrf protection using > forms. But again this requires some enforcement of the whitelist during > any redirects. I think we should assume that the attacker cannot inject form elements because this is uncommon in forum web sites. Adam _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
