W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

Re: Violation reports

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 28 Apr 2011 23:48:38 -0700
Message-ID: <BANLkTin_AXgT4FbV6VUS=x7kpJm5ouQHGg@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On Thu, Apr 28, 2011 at 11:36 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 4/27/11 8:41 AM, Brandon Sterne wrote:
>> On 04/26/2011 01:17 PM, Adam Barth wrote:
>>> How about we send the full blocked-uri if it's same origin with
>>> report-uri but send only the origin of blocked-uri if it's a different
>>> origin?
>>
>> Sounds good to me.  If there aren't objections, I'll make this change as
>> well.
>
> Minor objection here. I understand Adam's attack and privacy point,
> but that applies to redirections. If someone has injected a URL into
> my site the full URL could be vital clue to the attack.

A clever attacker wouldn't generated a violation report.

> Can we treat the two cases differently?
>  * if there's no redirection report the full URL, always.
>  * if a load is blocked after redirecting, report one of
>   a) only the origin of the blocked request as Adam proposes
>   b) the original URL that eventually redirected and blocked
>   c) both somehow
>
> Not sure c) fits in the currently defined report format. Failing
> that I prefer b) to a). Even if it's slightly confusing ("why is
> this perfectly fine URL being blocked? Oh, I've got an open
> redirector on my site.") people will have a starting point in their
> investigation of a blocked potential attack.

Treating these cases differently is too complicated.  Complexity has
large costs and we should be judicious in its application.

Adam
Received on Friday, 29 April 2011 06:49:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 29 April 2011 06:49:39 GMT