Re: Remove paths from CSP?

Author of the article here :) I believe killing paths is killing point of
CSP, furthermore, I'd like to have ?query whitelisted too!

We should patch the whole right where it happens - leakage. We should make
it impossible to detect whether CSP has blocked a resource. Fake
width/height of images, fire onload events, just like nothing happened.

How XSS-Auditor did -  There was a bug with about:blank redirection - now
it redirects to unique data:url, which is supposed to make detection
impossible. Although it's possible again because of #hash detection and the
CSP detection we are talking about right now, but idea is to make detection
impossible, not to cut CSP's functionality.

>reverse clickjacking

you would need to create a javascript:... link first, right? Is it even
possible in normal situations?
I'd rather use

Received on Wednesday, 12 February 2014 14:17:21 UTC