|
|
|
|
|
|
by alxlu
2902 days ago
|
|
|
Following up on this. It looks I spoke too soon about the separate domain iframe, since that would be blocked by the iframe's cross domain policy. So if the domain you are currently on listed in frame-src it looks like you would be safe from this. But if you explicitly set frame-src to include either 'self' or the domain itself then you would still be vulnerable to this. |
|
|
> But if you explicitly set frame-src to include either 'self' or the domain itself then you would still be vulnerable to this.
Exactly.
- There is a site foo.com, which has a CSP, but allows iframes from self or foo.com
- A user is able to inject some XSS to open an iframe to foo.com/50x.html, an nginx page with no CSP. Since CSP allows our own site to be used in iframes, this is allowed.
- In that page, further JS is injected to extract secrets from the foo.com parent page and connect them to remote networks. Since foo.com/50x.html has no CSP, this is allowed.