- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 28 Apr 2011 23:48:38 -0700
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On Thu, Apr 28, 2011 at 11:36 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 4/27/11 8:41 AM, Brandon Sterne wrote:
>> On 04/26/2011 01:17 PM, Adam Barth wrote:
>>> How about we send the full blocked-uri if it's same origin with
>>> report-uri but send only the origin of blocked-uri if it's a different
>>> origin?
>>
>> Sounds good to me. If there aren't objections, I'll make this change as
>> well.
>
> Minor objection here. I understand Adam's attack and privacy point,
> but that applies to redirections. If someone has injected a URL into
> my site the full URL could be vital clue to the attack.
A clever attacker wouldn't generated a violation report.
> Can we treat the two cases differently?
> * if there's no redirection report the full URL, always.
> * if a load is blocked after redirecting, report one of
> a) only the origin of the blocked request as Adam proposes
> b) the original URL that eventually redirected and blocked
> c) both somehow
>
> Not sure c) fits in the currently defined report format. Failing
> that I prefer b) to a). Even if it's slightly confusing ("why is
> this perfectly fine URL being blocked? Oh, I've got an open
> redirector on my site.") people will have a starting point in their
> investigation of a blocked potential attack.
Treating these cases differently is too complicated. Complexity has
large costs and we should be judicious in its application.
Adam
Received on Friday, 29 April 2011 06:49:38 UTC