W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Egor Homakov <homakov@gmail.com>
Date: Wed, 12 Feb 2014 17:55:43 +0700
Message-ID: <CAMQFCugULeoqPhrpJ838E5xmr=kQfHiZ5Kyi3sGqjjRzi4=UaA@mail.gmail.com>
To: public-webappsec@w3.org
Author of the article here :) I believe killing paths is killing point of
CSP, furthermore, I'd like to have ?query whitelisted too!

We should patch the whole right where it happens - leakage. We should make
it impossible to detect whether CSP has blocked a resource. Fake
width/height of images, fire onload events, just like nothing happened.

How XSS-Auditor did -  There was a bug with about:blank redirection - now
it redirects to unique data:url, which is supposed to make detection
impossible. Although it's possible again because of #hash detection and the
CSP detection we are talking about right now, but idea is to make detection
impossible, not to cut CSP's functionality.

>reverse clickjacking

you would need to create a javascript:... link first, right? Is it even
possible in normal situations?
I'd rather use https://www.google.com/jsapi?callback=form_name.submit
Received on Wednesday, 12 February 2014 14:17:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC