Re: Remove paths from CSP? from Mike West on 2014-02-12 (public-webappsec@w3.org from February 2014)

From: Mike West <mkwst@google.com>
Date: Wed, 12 Feb 2014 09:49:52 +0100
To: Michal Zalewski <lcamtuf@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Odin Hørthe Omdal <odinho@opera.com>, Adam Barth <w3c@adambarth.com>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <bhill@paypal-inc.com>, Garrett Robinson <grobinson@mozilla.com>
Message-ID: <CAKXHy=d9b-mAXqJ9RtEZS0Rj9CwJZGc5QkYy5rT_HkeX+kOGVQ@mail.gmail.com>

On Wed, Feb 12, 2014 at 9:38 AM, Michal Zalewski <lcamtuf@google.com> wrote:

> I think that paths are mostly useful for scripts, so that you don't
> end up with random JSONP interfaces that accept arbitrary callback
> function names as permissible script sources.
>

Yup. I'd agree. This is the clearest use case. Can we keep it while not
creating attack vectors?

> I suspect that without paths, CSP is still very much useful for
> detecting login state. For example, depending on your login state,
> many Google services will or will not redirect you to
> https://accounts.google.com/.
>

Correct. My claim is only that the risk is substantially lower without
paths than with paths.

More broadly, login state can be probed pretty trivially without CSP
> across virtually all major web services.

Detecting login _state_ is one thing. Detecting _username_ is another,
which redirects to, for example, 'github.com/mikewest' make possible via
brute force

-mike

Received on Wednesday, 12 February 2014 08:50:40 UTC