Re: Remove paths from CSP?

>> I suspect that without paths, CSP is still very much useful for
>> detecting login state. For example, depending on your login state,
>> many Google services will or will not redirect you to
>> https://accounts.google.com/.
>
> Correct. My claim is only that the risk is substantially lower without paths
> than with paths.

For CSP specifically, yes: it makes it easier to probe sites that
don't have their login bits in a separate origin, and if we insist on
whitelisting full URLs, there is the concern with query parameters
outlined by Egor.

For browser fingerprinting as a whole, I'd think that the added
exposure is fairly low. The non-CSP image onload= / script side effect
approach almost certainly works for virtually all the major
destinations on the Internet that have long-lived sessions for their
users.

/mz

Received on Wednesday, 12 February 2014 10:02:52 UTC