- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 28 Apr 2011 23:48:38 -0700
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On Thu, Apr 28, 2011 at 11:36 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 4/27/11 8:41 AM, Brandon Sterne wrote: >> On 04/26/2011 01:17 PM, Adam Barth wrote: >>> How about we send the full blocked-uri if it's same origin with >>> report-uri but send only the origin of blocked-uri if it's a different >>> origin? >> >> Sounds good to me. If there aren't objections, I'll make this change as >> well. > > Minor objection here. I understand Adam's attack and privacy point, > but that applies to redirections. If someone has injected a URL into > my site the full URL could be vital clue to the attack. A clever attacker wouldn't generated a violation report. > Can we treat the two cases differently? > * if there's no redirection report the full URL, always. > * if a load is blocked after redirecting, report one of > a) only the origin of the blocked request as Adam proposes > b) the original URL that eventually redirected and blocked > c) both somehow > > Not sure c) fits in the currently defined report format. Failing > that I prefer b) to a). Even if it's slightly confusing ("why is > this perfectly fine URL being blocked? Oh, I've got an open > redirector on my site.") people will have a starting point in their > investigation of a blocked potential attack. Treating these cases differently is too complicated. Complexity has large costs and we should be judicious in its application. Adam
Received on Friday, 29 April 2011 06:49:38 UTC