[WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)

Gervase Markham gerv at gerv.net
Tue Jun 27 17:20:26 EDT 2006


Brian Eaton wrote:
> I don't think there is an incentive for CSL policy to be abused.  The
> vast majority of web sites are *happy* when people link to them, they
> don't want to prevent it.

But some do - and go to extraordinary lengths using referer and so on to
try and prevent deep linking or "image stealing". Loads more, I would
suggest, are unhappy about it but realise there's not much they can do
so they have to live with it.

> There are mechanisms used today to prevent cross-site linking, such as
> referer header checks, and frame busting code.  So CSL policy doesn't
> actually change what is possible, it just makes it easier.

And Referer is optional, for that reason. So it would also have to be
optional to respect CSL policy.

> Would you agree that there are legitimate reasons for me to block
> links from arbitrary sites to certain pages on my site?

Not really. I think that if doing so is a security risk for you, you
need to fix that, rather than expect the browsers to cover your back :-)

> Good point.  404 responses for the cslpolicy.xml file would have to be
> cached.  (I ought to check what the HTTP spec says about that idea...)
> Assuming the browser is permitted to cache the response, you wouldn't
> see hits for cslpolicy.xml for every cross-site link.  Just the first
> cross-site link a given user follows.

...to a particular site. And it's still one per user.

Gerv


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list