Paths and Redirects from Antonio Sanso on 2014-08-15 (public-webappsec@w3.org from August 2014)

From: Antonio Sanso <asanso@adobe.com>
Date: Fri, 15 Aug 2014 14:37:45 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <2934EFEA-CCB2-413A-9993-C4C4C55D0D63@adobe.com>

hi *,

in [0] I see a section that has been written in order to address the issue spotted by Egor Homakov in [1].
Now I might have well misunderstood the all story but IMHO this doesn’t seem to solve the original issue.
E.g. if we have

img-src<http://www.w3.org/TR/CSP11/#img-src> example.com<http://example.com>

rahter than

img-src<http://www.w3.org/TR/CSP11/#img-src> example.com<http://example.com> not-example.com/path<http://not-example.com/path>

what is going to happen?
AFAIU the redirect to not-example.com<http://not-example.com> will still happens hence the leaking.

regards

antonio

[0] http://www.w3.org/TR/CSP11/#source-list-paths-and-redirects
[1] http://homakov.blogspot.de/2014/01/using-content-security-policy-for-evil.html

Received on Saturday, 16 August 2014 22:12:37 UTC