- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 20 May 2014 15:37:37 +0200
- To: Mike West <mkwst@google.com>
- Cc: Sigbjørn Vik <sigbjorn@opera.com>, Joel Weinberger <jww@chromium.org>, "Oda, Terri" <terri.oda@intel.com>, Michal Zalewski <lcamtuf@coredump.cx>, Dan Veditz <dveditz@mozilla.com>, Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "Eduardo' Vela" <evn@google.com>
On Tue, May 20, 2014 at 3:17 PM, Mike West <mkwst@google.com> wrote: > On Tue, May 20, 2014 at 2:55 PM, Sigbjørn Vik <sigbjorn@opera.com> wrote: >> * It doesn't resolve redirection login detection, which may add a new >> security hole to previously secure sites, one against which sites cannot >> protect themselves. > > I disagree that this is a unique consequence of CSP's behavior (as we've > discussed at length), but I do agree that CSP makes this detection for those > sites that do cross-origin easier than it is now. Is this explained somewhere? So far we've made quite an effort to make redirects atomic from an API's perspective. >> * It thus adds an unfixable security issue for the foreseeable future >> for all web sites. This might theoretically hinder the web moving >> forwards in the future. > > For the subset of all websites that do cross-origin login (e.g. google.com > -> accounts.google.com). Sites delegating login seems pretty common these days. -- http://annevankesteren.nl/
Received on Tuesday, 20 May 2014 13:38:08 UTC