On Wed, Feb 12, 2014 at 9:38 AM, Michal Zalewski <lcamtuf@google.com> wrote: > I think that paths are mostly useful for scripts, so that you don't > end up with random JSONP interfaces that accept arbitrary callback > function names as permissible script sources. > Yup. I'd agree. This is the clearest use case. Can we keep it while not creating attack vectors? > I suspect that without paths, CSP is still very much useful for > detecting login state. For example, depending on your login state, > many Google services will or will not redirect you to > https://accounts.google.com/. > Correct. My claim is only that the risk is substantially lower without paths than with paths. More broadly, login state can be probed pretty trivially without CSP > across virtually all major web services. Detecting login _state_ is one thing. Detecting _username_ is another, which redirects to, for example, 'github.com/mikewest' make possible via brute force -mikeReceived on Wednesday, 12 February 2014 08:50:40 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC