Security/CSP/CSRFModule: Difference between revisions

Jump to navigation Jump to search

Security/CSP/CSRFModule (view source)

Revision as of 17:50, 22 October 2009

142 bytes added ,  22 October 2009
→‎Open Issues
No edit summary
Line 63: Line 63:
This section contains a list of open issues.  
This section contains a list of open issues.  


*Any policy governing the sending of cookies to URIs other than |self| requires enforcement of the policy over all HTTP redirects encountered while loading the URI.  This may be in conflict with [[Security/CSP/BaseModule|BaseModule]] if BaseModule defines CSP policies to be non-composeable.
*Any policy governing the sending of cookies to URIs other than <tt>self</tt> requires enforcement of the policy over all HTTP redirects encountered while loading the URI.  (Presumably <tt>self</tt> is in control of its redirects.)  CSP policy enforcement may be in conflict with [[Security/CSP/BaseModule|BaseModule]], if BaseModule defines CSP policies to be non-composeable, and any redirect or the resource declares a CSP policy.
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.
**To address this threat, form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations).
**To address this threat, form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations).
Mtl
35

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/177768"

Navigation menu