W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: CSP: set of report URIs

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 20 Mar 2013 17:20:11 -0400
Message-ID: <CADnb78hn_otnreGZDLDbRmi90_=nCpbJoDeJA24XT4JZB3kZrQ@mail.gmail.com>
To: Ian Melven <imelven@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>, Daniel Veditz <dveditz@mozilla.com>
On Tue, Mar 19, 2013 at 12:01 PM, Ian Melven <imelven@mozilla.com> wrote:
> CORS is an interesting idea, but I think one of the cases that people are concerned
> about is an attacker being able to use an injected CSP (particularly if <meta> CSP
> ends up widely implemented) to send violation data to their own server, which will obviously
> grant permission via CORS (same concern addressed via not allowing redirects on report POSTs
> IMO)

<meta> CSP sounds like a bad idea...

In any event, you could set Origin to null so that event a same-origin
request would be cross-origin. Note also that CORS with preflight does
not follow redirects either.


-- 
http://annevankesteren.nl/
Received on Wednesday, 20 March 2013 21:20:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC