- From: Michal Zalewski <lcamtuf@google.com>
- Date: Wed, 12 Feb 2014 02:02:05 -0800
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Odin Hørthe Omdal <odinho@opera.com>, Adam Barth <w3c@adambarth.com>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <bhill@paypal-inc.com>, Garrett Robinson <grobinson@mozilla.com>
>> I suspect that without paths, CSP is still very much useful for >> detecting login state. For example, depending on your login state, >> many Google services will or will not redirect you to >> https://accounts.google.com/. > > Correct. My claim is only that the risk is substantially lower without paths > than with paths. For CSP specifically, yes: it makes it easier to probe sites that don't have their login bits in a separate origin, and if we insist on whitelisting full URLs, there is the concern with query parameters outlined by Egor. For browser fingerprinting as a whole, I'd think that the added exposure is fairly low. The non-CSP image onload= / script side effect approach almost certainly works for virtually all the major destinations on the Internet that have long-lived sessions for their users. /mz
Received on Wednesday, 12 February 2014 10:02:52 UTC