|
|
|
|
|
|
by david_a_r_kemp
5300 days ago
|
|
|
I may be going over old ground, but don't the CSP violations reports ( see https://developer.mozilla.org/en/Security/CSP/Using_CSP_viol... ) open up another attack vector? I know people who actually implement this are going to have their heads screwed on around the right way, but having a page where you know you can generate server processing, and that is potentially not going to have much security around it screams out to me to be a good place to start an attack from. Especially as the spec is a bit vague about exactly what happens when (no head specified for example, doesn't say about including cookies or any other information). Also, fiesta.cc's CSP Report URI returns a response that says to keep the connection open. And, if you manage to get a script injected to a popular page, the site itself acts as a distribution system to enable distribution to multiple users. Something about this says it's not been thoroughly thought through to me. |
|
|
The headers sent in the report included "Proxy-Authorization", so it was possible to steal web proxy credentials by forcing a policy violation on your site. Chromes implementation didn't include the headers from the start. For more info:
https://grepular.com/Mozilla_Security_Bug_Reveals_Web_Proxy_...
And the original report (which was recently "unclassified"):
https://bugzilla.mozilla.org/show_bug.cgi?id=664983