Security/CSP/CSRFModule: Difference between revisions

Jump to navigation Jump to search

Security/CSP/CSRFModule (view source)

Revision as of 16:59, 22 October 2009

243 bytes added ,  22 October 2009
→‎Open Issues
Line 59: Line 59:
This section contains a list of open issues.  
This section contains a list of open issues.  


*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.  Form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations).  Link activations are still vulnerable to this attack, however.
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.
Mtl
35

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/177749"

Navigation menu