Re: Remove paths from CSP? from Egor Homakov on 2014-02-12 (public-webappsec@w3.org from February 2014)

From: Egor Homakov <homakov@gmail.com>
Date: Wed, 12 Feb 2014 18:11:44 +0700
To: mkwst@google.com, public-webappsec@w3.org
Message-ID: <CAMQFCujNUVzmv=XvH+JscRrM_Q7wgBjunLHiY+Yg25adi_X9+w@mail.gmail.com>

I posted in public-webapps but not sure it was sent properly.

I think I found the best solution.

Detection is based on a redirect, ( Trusted redirects to NotTrusted, we can
detect NotTrusted). But since Trusted *redirects* to other location, maybe
we should mark that new location as Trusted too, not check it against
whitelist again?

That's pretty much useful feature not only as a security measure, imaging
google changes it's API host from
google.com/jquery.js to cdn.google.com/jquery.js
it will raise a violation literally on every website using CSP. But if CSP
would auto-whitelist 302-redirect destinations it would not only mitigate
the detection but also make host migration easier for everyone.

I don't see any downsides of this approach. If you can fake the redirect,
you can fake the entire response (attacker likely hacked that server
already).

Received on Wednesday, 12 February 2014 14:17:20 UTC