Re: Remove paths from CSP?

On Wed, Feb 12, 2014 at 9:38 AM, Michal Zalewski <lcamtuf@google.com> wrote:

> I think that paths are mostly useful for scripts, so that you don't
> end up with random JSONP interfaces that accept arbitrary callback
> function names as permissible script sources.
>

Yup. I'd agree. This is the clearest use case. Can we keep it while not
creating attack vectors?


> I suspect that without paths, CSP is still very much useful for
> detecting login state. For example, depending on your login state,
> many Google services will or will not redirect you to
> https://accounts.google.com/.
>

Correct. My claim is only that the risk is substantially lower without
paths than with paths.

More broadly, login state can be probed pretty trivially without CSP
> across virtually all major web services.


Detecting login _state_ is one thing. Detecting _username_ is another,
which redirects to, for example, 'github.com/mikewest' make possible via
brute force

-mike

Received on Wednesday, 12 February 2014 08:50:40 UTC