Re: Remove paths from CSP?

I have not followed the development of CSP, but I question why cross
domain leakage has been built into it by default? As I understand it,
report-uri, missing onload event handlers and errors will leak
information, regardless of whether paths are supported or not. Could
someone please link/explain the rationale behind this?

That some major websites have bugs which can be found by a dedicated
attacker to tell e.g. logged-in status, is not an argument that we
should build this bug into browsers by default, for easy exploitation,
including against secure websites.

If detailed error information is needed, and the third-party site is ok
with passing this information on, then a header set by the third-party
site could easily allow this.

If the underlying problem of cross domain leakage is fixed, then paths
can be used without a problem.

-- 
Sigbjørn Vik
Opera Software

Received on Wednesday, 12 February 2014 11:59:45 UTC