|
|
|
|
|
|
by nailer
2900 days ago
|
|
|
Thanks for replying. Yeah I get this / agree with you now. > But if you explicitly set frame-src to include either 'self' or the domain itself then you would still be vulnerable to this. Exactly. - There is a site foo.com, which has a CSP, but allows iframes from self or foo.com - A user is able to inject some XSS to open an iframe to foo.com/50x.html, an nginx page with no CSP. Since CSP allows our own site to be used in iframes, this is allowed. - In that page, further JS is injected to extract secrets from the foo.com parent page and connect them to remote networks. Since foo.com/50x.html has no CSP, this is allowed. |
|
|