On Thu, Dec 3, 2015 at 10:45 AM, Mike O'Neill <michael.oneill@baycloud.com> wrote: > I think the attack is about measuring the time delay between a CSP blocked > XHR request and the resulting oneeror, then detecting whether a site had > been visited by measuring a short delay (because the url would be cached). > We could recommend that the UA inserts a random ~100ms-ish delay before > triggering events from CSP blocked requests. It only needs to be there for > cross-origin ones. > > The only difference I know about for CSP support in Firefox is that they do > not currently support CSPs in meta tags, but I believe that is about to be > released anyway. > Yup. Yan is awesome. We've addressed the attack she exposed in the CSP spec by disallowing folks from locking themselves into insecurity. That is, `img-src http:` now means `img-src http: https:`. Firefox accidentally implemented this behavior while working on Upgrade Insecure Requests, and it turns out to have been a wonderful accident that we've implemented in Chrome as well (in beta now, I think). AFAIK, Yan has a more general version of the attack that doesn't rely on CSP. CSP just made it ~100% effective. (+yan) -mike
Received on Thursday, 3 December 2015 09:54:47 UTC