On Wed, Feb 12, 2014 at 9:38 AM, Michal Zalewski <lcamtuf@google.com> wrote:
> I think that paths are mostly useful for scripts, so that you don't
> end up with random JSONP interfaces that accept arbitrary callback
> function names as permissible script sources.
>
Yup. I'd agree. This is the clearest use case. Can we keep it while not
creating attack vectors?
> I suspect that without paths, CSP is still very much useful for
> detecting login state. For example, depending on your login state,
> many Google services will or will not redirect you to
> https://accounts.google.com/.
>
Correct. My claim is only that the risk is substantially lower without
paths than with paths.
More broadly, login state can be probed pretty trivially without CSP
> across virtually all major web services.
Detecting login _state_ is one thing. Detecting _username_ is another,
which redirects to, for example, 'github.com/mikewest' make possible via
brute force
-mike