Re: Cross-origin leakage with securitypolicyviolation events and paths in source expressions. from Eduardo' Vela on 2013-05-05 (public-webappsec@w3.org from May 2013)

From: Eduardo' Vela <evn@google.com>
Date: Sun, 5 May 2013 01:15:23 -0700
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>, "dveditz@mozilla.com" <dveditz@mozilla.com>, "Hill, Brad" <bhill@paypal-inc.com>
Message-ID: <CAFswPa-p1gGVh37vp8-Sd0OsyQTDQV8iVJ0L1jbrB4JXi_+YxQ@mail.gmail.com>

Interesting.

For what is worth you can also detect redirects without CSP with iframes
(change the location's hash and see if it triggers a load event).

I don't think paths are the root of the problem though, there are also
cross-origin redirects quite often (eg, most sites redirect to a login-only
origin such as accounts.google.com when the user is logged out).

However, paths do make it more dangerous, as, for example, it would be an
interesting attack vector to assert user's identity, for example, if
twitter.com/me redirects to twitter.com/sirdarckcat.

Greetings!!

Received on Sunday, 5 May 2013 08:16:10 UTC