W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Wed, 12 Feb 2014 12:59:15 +0100
Message-ID: <52FB6213.2070305@opera.com>
To: public-webappsec@w3.org
CC: Odin Hørthe Omdal <odinho@opera.com>, Adam Barth <w3c@adambarth.com>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <bhill@paypal-inc.com>, Michal Zalewski <lcamtuf@google.com>, Garrett Robinson <grobinson@mozilla.com>
I have not followed the development of CSP, but I question why cross
domain leakage has been built into it by default? As I understand it,
report-uri, missing onload event handlers and errors will leak
information, regardless of whether paths are supported or not. Could
someone please link/explain the rationale behind this?

That some major websites have bugs which can be found by a dedicated
attacker to tell e.g. logged-in status, is not an argument that we
should build this bug into browsers by default, for easy exploitation,
including against secure websites.

If detailed error information is needed, and the third-party site is ok
with passing this information on, then a header set by the third-party
site could easily allow this.

If the underlying problem of cross domain leakage is fixed, then paths
can be used without a problem.

Sigbjørn Vik
Opera Software
Received on Wednesday, 12 February 2014 11:59:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC