- From: Sigbjørn Vik <sigbjorn@opera.com>
- Date: Wed, 12 Feb 2014 12:59:15 +0100
- To: public-webappsec@w3.org
- CC: Odin Hørthe Omdal <odinho@opera.com>, Adam Barth <w3c@adambarth.com>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <bhill@paypal-inc.com>, Michal Zalewski <lcamtuf@google.com>, Garrett Robinson <grobinson@mozilla.com>
I have not followed the development of CSP, but I question why cross domain leakage has been built into it by default? As I understand it, report-uri, missing onload event handlers and errors will leak information, regardless of whether paths are supported or not. Could someone please link/explain the rationale behind this? That some major websites have bugs which can be found by a dedicated attacker to tell e.g. logged-in status, is not an argument that we should build this bug into browsers by default, for easy exploitation, including against secure websites. If detailed error information is needed, and the third-party site is ok with passing this information on, then a header set by the third-party site could easily allow this. If the underlying problem of cross domain leakage is fixed, then paths can be used without a problem. -- Sigbjørn Vik Opera Software
Received on Wednesday, 12 February 2014 11:59:45 UTC