Hi, About CSP, if we focus on XSS subject the plugin can try to detect if the app. protect itself against remote content loading using a policy (detection in the same way than the clickjaking plugin currently does).
As i understand (based on section 4 of W3C specs[0] and other readings) to protect against remote loading of scripts/plugins the app. should put CSP http response header(s) into one of this way: - Option 1 : Use "defaut-src" directive and set it to either "self" (load only from source host+port) or explicit allowed sources. - Option 2 : Use "script-src" and "object-src" directives and set it to either "self" or explicit allowed sources. The W3C specs section 4 say also: "In either case, authors should not include 'unsafe-inline' in their CSP policies if they wish to protect themselves against XSS." The disadvantage is often (as i seen in my daily job) an app. include inline script content into scripts tag then implementing this check will cause many "False Positive" but we can perhaps include an option into the plugin to enable it (it will disabled by default).... Plugin can also detect presence of "default-src","script-src","object-src" directives with value set to "*" because this indicate that all sources are allowed and then remote content loading is fully open.... What do you think ? [0] http://www.w3.org/TR/CSP/#directives -- Cordialement, Best regards, Dominique Righetto dominique.righe...@gmail.com dominique.righe...@owasp.org Twitter: @righettod GPG: 0x323D19BA http://righettod.github.com "No trees were killed to send this message, but a large number of electrons were terribly inconvenienced." ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
