W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Egor Homakov <homakov@gmail.com>
Date: Wed, 12 Feb 2014 18:11:44 +0700
Message-ID: <CAMQFCujNUVzmv=XvH+JscRrM_Q7wgBjunLHiY+Yg25adi_X9+w@mail.gmail.com>
To: mkwst@google.com, public-webappsec@w3.org
I posted in public-webapps but not sure it was sent properly.

I think I found the best solution.

Detection is based on a redirect, ( Trusted redirects to NotTrusted, we can
detect NotTrusted). But since Trusted *redirects* to other location, maybe
we should mark that new location as Trusted too, not check it against
whitelist again?

That's pretty much useful feature not only as a security measure, imaging
google changes it's API host from
google.com/jquery.js to cdn.google.com/jquery.js
it will raise a violation literally on every website using CSP. But if CSP
would auto-whitelist 302-redirect destinations it would not only mitigate
the detection but also make host migration easier for everyone.

I don't see any downsides of this approach. If you can fake the redirect,
you can fake the entire response (attacker likely hacked that server
Received on Wednesday, 12 February 2014 14:17:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC