W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: Cross-origin leakage with securitypolicyviolation events and paths in source expressions.

From: Mike West <mkwst@google.com>
Date: Sun, 5 May 2013 10:55:43 +0200
Message-ID: <CAKXHy=fQ5T5UywN1FohWvYtuv=kybn7L7Vb-w8vFRrJD86UJEQ@mail.gmail.com>
To: "Eduardo' Vela" <evn@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>, "dveditz@mozilla.com" <dveditz@mozilla.com>, "Hill, Brad" <bhill@paypal-inc.com>
On Sun, May 5, 2013 at 10:15 AM, Eduardo' Vela <evn@google.com> wrote:

> For what is worth you can also detect redirects without CSP with iframes
> (change the location's hash and see if it triggers a load event).
>

In this particular case, you can't, as the 'X-Frame-Options' header blocks
the page from ever loading (It's arguable, actually, that the redirect
shouldn't happen in a frame, since both the initial and final target
attempt to deny framing).

Regardless, this certainly wouldn't be the only mechanism of leaking this
sort of state, but it would be nice not to add new holes to the platform. :/


> I don't think paths are the root of the problem though, there are also
> cross-origin redirects quite often (eg, most sites redirect to a login-only
> origin such as accounts.google.com when the user is logged out).
>

Indeed.

-mike
Received on Sunday, 5 May 2013 08:56:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC