W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2015

Re: Browser Fingerprinting using HSTS and CSP

From: Mike West <mkwst@google.com>
Date: Thu, 3 Dec 2015 10:53:57 +0100
Message-ID: <CAKXHy=cOQQDs3ZUQsP48N85tyhFpUxarPPZzg4jfXUOzrLRDQg@mail.gmail.com>
To: "Mike O'Neill" <michael.oneill@baycloud.com>, yan zhu <yan@mit.edu>
Cc: Nick Doty <npdoty@w3.org>, Keiji Takeda <tkeiji@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
On Thu, Dec 3, 2015 at 10:45 AM, Mike O'Neill <michael.oneill@baycloud.com>

> I think the attack is about measuring the time delay between a CSP blocked
> XHR request and the resulting oneeror, then detecting whether a site had
> been visited by measuring a short delay (because the url would be cached).
> We could recommend that the UA inserts a random ~100ms-ish delay before
> triggering events from CSP blocked requests. It only needs to be there for
> cross-origin ones.
> The only difference I know about for CSP support in Firefox is that they do
> not currently support CSPs in meta tags, but I believe that is about to be
> released anyway.

Yup. Yan is awesome.

We've addressed the attack she exposed in the CSP spec by disallowing folks
from locking themselves into insecurity. That is, `img-src http:` now means
`img-src http: https:`. Firefox accidentally implemented this behavior
while working on Upgrade Insecure Requests, and it turns out to have been a
wonderful accident that we've implemented in Chrome as well (in beta now, I

AFAIK, Yan has a more general version of the attack that doesn't rely on
CSP. CSP just made it ~100% effective. (+yan)

Received on Thursday, 3 December 2015 09:54:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:49:31 UTC