On Wed, Feb 12, 2014 at 12:59 PM, Sigbjørn Vik <sigbjorn@opera.com> wrote: > That some major websites have bugs which can be found by a dedicated > attacker to tell e.g. logged-in status, is not an argument that we > should build this bug into browsers by default, for easy exploitation, > including against secure websites. > I think there is a misunderstanding here. The fact that major websites have bugs which can leak logged-in status is not a justification for building anything in, but a justification for removing functionality. > If detailed error information is needed, and the third-party site is ok > with passing this information on, then a header set by the third-party > site could easily allow this. > The goal of CSP's reporting functionality is to give site authors detail about attacks occurring on their sites. "Hey, author, I blocked script from executing right here on your page. Maybe you should go look at your escaping code again, because someone injected something!" It's unlikely that an attacker will cooperate with the attackee by delivering their payload with CORS headers in order to enable reporting. > If the underlying problem of cross domain leakage is fixed, then paths > can be used without a problem. > An issue is that leakage is inherent in the functionality: it isn't possible to block an image from loading, for example, without making the fact that the image was blocked visible to the page that loaded it. If CSP is to be at all valuable in blocking content injection attacks, the act of blocking will by necessity leak the fact that a resource was blocked. I'd welcome proposals that would avoid this. -mike
Received on Wednesday, 12 February 2014 12:32:10 UTC