W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Michal Zalewski <lcamtuf@google.com>
Date: Wed, 12 Feb 2014 02:02:05 -0800
Message-ID: <CAN44M3W6kaQ7Ry7e0oMLs9_71N=Vm4=K8qT_Q5v4B9YQDVrzmQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Odin Hørthe Omdal <odinho@opera.com>, Adam Barth <w3c@adambarth.com>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <bhill@paypal-inc.com>, Garrett Robinson <grobinson@mozilla.com>
>> I suspect that without paths, CSP is still very much useful for
>> detecting login state. For example, depending on your login state,
>> many Google services will or will not redirect you to
>> https://accounts.google.com/.
>
> Correct. My claim is only that the risk is substantially lower without paths
> than with paths.

For CSP specifically, yes: it makes it easier to probe sites that
don't have their login bits in a separate origin, and if we insist on
whitelisting full URLs, there is the concern with query parameters
outlined by Egor.

For browser fingerprinting as a whole, I'd think that the added
exposure is fairly low. The non-CSP image onload= / script side effect
approach almost certainly works for virtually all the major
destinations on the Internet that have long-lived sessions for their
users.

/mz
Received on Wednesday, 12 February 2014 10:02:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC