It appears that securitypolicyviolation events and paths in source
expressions are unintentionally useful for determining whether or not
redirects occur. For example, I can determine pretty trivially whether or
not a user is logged into GitHub with the following page in Chrome Canary
(with "Experimental WebKit Features" enabled):
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="frame-src
https://github.com/notifications">
</head>
<body>
<script>
document.addEventListener('securitypolicyviolation', function (e) {
console.log(e);
});
var frame = document.createElement('iframe');
document.body.appendChild(frame);
frame.src = 'https://github.com/notifications';
</script>
</body>
</html>
I don't see a trivial mitigation; if we have paths, then detecting
violations with some granularity is possible already via the POSTed report.
The violation event simply makes reacting to such detection easier. :/
--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91