On Mon, Mar 3, 2014 at 5:11 PM, Nick Gleason <n.glea...@citysoft.com> wrote:
> > Pete, > > Much appreciated. I guess where I'm being a bit of a dunce is that in your > example, if a malicious url.query variable was passed in by a hacker, > wouldn't the display only be available on that single request? And if I > come to the same search form 2 minutes later and do a normal search, won't > it be clean? I guess that, assuming we have no sql injection to the db, I > don't see how that attack stays persistent (as it would possibly for a > comment or forum post). Sorry to be over-simple on this. > Hi Nick, It is not a persistent attack unless it gets saved to a DB somewhere, etc. But it is still considered harmful, for example if I send you a link that uses javascript to write a login form on the page that submits to my server... then that is not a good thing. Normal visitors can't parse a query string to recognize that it is rewriting the DOM, especially when they see HTTPS they expect that everything on the page is as you intended it. Or the attacker might simply grab cookies and use them to hijack the victim's session. These examples are a bit more targeted, they will probably effect every user of the site but the attacker can use the hole to eventually get the info they are after. > Re: the content security policy, that looks very interesting. Watching a > presentation on it now. One quick question. If we are using that on a > site > and then an admin comes in and uses an iframe widget from youtube to > display > a video on a page in the site, does that get filtered by CSP (and require > an > exception for youtube)? I gather that would need to be excepted in the > frame-src header, right? > Yes you would have to allow the youtube.com domain in your CSP header, eg: Content-Security-Policy: default-src 'self'; frame-src 'self' youtube.com; One thing to keep in mind with Content-Security-Policy is that when you enable it, it will also block inline scripts and style elements, you can override that using unsalfe-inline but then you also loose a lot of the benefits of CSP. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357846 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm