Thank you Boris and Daniel, for the information.
Den 10-12-2012 03:11Boris Zbarsky skrev:
1) Loading a cross-site file that can be decoded as an image allows
access to the width and height of the image.
Is this also true for video?
2) Loading a cross-site file with a text/css MIME type as a stylesheet
allows a site to examine the effects of that stylesheet on elements of
the page (e.g. by looking at their computed style).
According to the documentation I have read, this is the case in Firefox
and IE (though I know Firefox allows CSS loads without a Content-Type
header). Chrome allows some CSS loads with any Content-Type, if the
first part is valid, whatever that means.
3) Loading a cross-site file as a script allows a site to examine its
effects on the script environment and DOM of the site (but does NOT
allow access to things like line text information of exceptions from
that script).
This makes JSON interesting. From what I have read the data is not
available cross-site, but you can detect if the root is a non-empty
object versus any other type. Non-empty objects fail earlier in the
processing, so it may be exposed to less attack surface.
5) Loading data cross-site in an <object> may allow determination of
what category its server-provided MIME type falls into (at least far
enough to tell apart "image", "document", and "not supported").6
I didn't know that. Do you have an example?
I have also read somewhere that it may be possible to trick users to
copy or drag data out of an invisible frame, so I think X-Frame-Options
is required.
I'm not sure there's a clear and unambiguous list anywhere.
That is what I thought. It would be nice if browsers supported a HTTP
header or similar saying "don't allow any cross-site exceptions on this
response".
Some of your formulations in your answers inspired me to try some
different search terms, where I was able to find this:
http://code.google.com/p/browsersec/wiki/Part2#Life_outside_same-origin_rules
Den 13-12-2012 05:36Daniel Veditz skrev:
CSP may or may not in the future try to protect against cross-site use
of resources. It's taken a step in that direction with Mozilla's
original frame-ancestors directive (not included in the spec) and the
probable adoption of frame-options in CSP 1.1
There has also been a proposed "From-Origin:" header to protect
resources in the way you're trying. It seems to have withered so don't
expect to use it, but it is at least evidence that some people are
thinking along these lines
http://www.w3.org/TR/2012/NOTE-from-origin-20120529/
It is very nice to see that there has been some thought around this
among web browsers. I hope this will give us something we can use soon.
The list of same origin exception is just too complicated, especially
with the ways one language can be interpreted as another language.
Any such mechanism is only interesting if it's supported broadly, so a
less vendor-specific forum may be a better place (though we're happy to
talk about it here!). One that has discussed similar issues in the past
is the W3 public-webappsec list.
http://lists.w3.org/Archives/Public/public-webappsec/
Maybe I will post there some time, but for now I have got a lot of
information already that I need to think about. Thank you.
Jesper
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
