Re: [CSP] may we have script-ancestors to protect JSONP call from Hatter Jiang OWS on 2014-08-28 (public-webappsec@w3.org from August 2014)

From: Hatter Jiang OWS <hatter@openwebsecurity.org>
Date: Thu, 28 Aug 2014 13:36:01 +0800
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CABm0mE5yNoDtq3VozOK_nukAMv0ei-YYPJQ=GERRxKk5bajWGg@mail.gmail.com>

As far as I know, CORS used for XHR, If user's browser does not support
CORS, then we also have implement JSONP.

But if CSP support this, will help website and user improve security, and
by using report-uri, website can know if that cause an attack(at least the
modern browser will report this).


On Thu, Aug 28, 2014 at 1:02 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> Hi
>
> Does CORS solve this use case more securely? I understand that CORS is not
> available on all browsers, but any browser that might implement the
> proposal you mention already supports CORS. I can't imagine a browser
> that doesn't support CORS but will support CSP v2.next
>
> thanks
> Dev
>
> On 27 August 2014 07:06, Hatter Jiang OWS <hatter@openwebsecurity.org>
> wrote:
> > The JSONP call is used more and more on the websites, if the developer
> offer
> > a JSONP call like:
> >
> >   http://www.example.com/showuserinvo.jsonp?callback=ondisplayuserinfo
> >
> > If you are logged in, the browser will send the cookie to the server, and
> > the server may return:
> >
> >   ondisplayuserinfo({"username": "Hatter Jiang", "email":
> > "test_mail@example.com"});
> >
> > This JSONP can be used by other sites(like
> > http://evil.com/something_interesting.htm, and the most browser will
> allow
> > third party cookie by default):
> >
> >   <script type="text/javascript">
> >     function ondisplayuserinfo(userInfo) {
> >        // TODO collect user info here
> >     }
> >   </script>
> >   <script type="text/javascript"
> > src="
> http://www.example.com/showuserinvo.jsonp?callback=ondisplayuserinfo
> "></script>
> >
> > So the JSONP may very unsafe and cause user info leak, we can resolve
> this
> > issue by using CSRF token checking,
> > we should add CSRF check at the server side, but it may take a long term
> to
> > resolve it.
> >
> > And according referrer-policy (http://www.w3.org/TR/referrer-policy/),
> the
> > referer may be not setted,
> > so we cannot resolve it simpley by referer checking.
> >
> > If CSP can be set like this:
> >
> >   script-ancestors: *.example.com
> >
> > Then the JSONP(actual script) call from evil.com will not take effect
> like
> > frame-ancestors's behavior.
> >
> >
> > Hatter Jiang
>

Received on Thursday, 28 August 2014 05:36:28 UTC