W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Egor Homakov <homakov@gmail.com>
Date: Wed, 12 Feb 2014 18:11:44 +0700
Message-ID: <CAMQFCujNUVzmv=XvH+JscRrM_Q7wgBjunLHiY+Yg25adi_X9+w@mail.gmail.com>
To: mkwst@google.com, public-webappsec@w3.org
I posted in public-webapps but not sure it was sent properly.

I think I found the best solution.

Detection is based on a redirect, ( Trusted redirects to NotTrusted, we can
detect NotTrusted). But since Trusted *redirects* to other location, maybe
we should mark that new location as Trusted too, not check it against
whitelist again?

That's pretty much useful feature not only as a security measure, imaging
google changes it's API host from
google.com/jquery.js to cdn.google.com/jquery.js
it will raise a violation literally on every website using CSP. But if CSP
would auto-whitelist 302-redirect destinations it would not only mitigate
the detection but also make host migration easier for everyone.

I don't see any downsides of this approach. If you can fake the redirect,
you can fake the entire response (attacker likely hacked that server
already).
Received on Wednesday, 12 February 2014 14:17:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC