W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: Cross-origin leakage with securitypolicyviolation events and paths in source expressions.

From: Eduardo' Vela <evn@google.com>
Date: Sun, 5 May 2013 01:15:23 -0700
Message-ID: <CAFswPa-p1gGVh37vp8-Sd0OsyQTDQV8iVJ0L1jbrB4JXi_+YxQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>, "dveditz@mozilla.com" <dveditz@mozilla.com>, "Hill, Brad" <bhill@paypal-inc.com>
Interesting.

For what is worth you can also detect redirects without CSP with iframes
(change the location's hash and see if it triggers a load event).

I don't think paths are the root of the problem though, there are also
cross-origin redirects quite often (eg, most sites redirect to a login-only
origin such as accounts.google.com when the user is logged out).

However, paths do make it more dangerous, as, for example, it would be an
interesting attack vector to assert user's identity, for example, if
twitter.com/me redirects to twitter.com/sirdarckcat.

Greetings!!
Received on Sunday, 5 May 2013 08:16:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC