Re: Remove paths from CSP?

On Wed, Feb 12, 2014 at 9:38 AM, Michal Zalewski <> wrote:

> I think that paths are mostly useful for scripts, so that you don't
> end up with random JSONP interfaces that accept arbitrary callback
> function names as permissible script sources.

Yup. I'd agree. This is the clearest use case. Can we keep it while not
creating attack vectors?

> I suspect that without paths, CSP is still very much useful for
> detecting login state. For example, depending on your login state,
> many Google services will or will not redirect you to

Correct. My claim is only that the risk is substantially lower without
paths than with paths.

More broadly, login state can be probed pretty trivially without CSP
> across virtually all major web services.

Detecting login _state_ is one thing. Detecting _username_ is another,
which redirects to, for example, '' make possible via
brute force


Received on Wednesday, 12 February 2014 08:50:40 UTC