Re: Remove paths from CSP? from Egor Homakov on 2014-02-12 (public-webappsec@w3.org from February 2014)

From: Egor Homakov <homakov@gmail.com>
Date: Wed, 12 Feb 2014 17:55:43 +0700
To: public-webappsec@w3.org
Message-ID: <CAMQFCugULeoqPhrpJ838E5xmr=kQfHiZ5Kyi3sGqjjRzi4=UaA@mail.gmail.com>

Author of the article here :) I believe killing paths is killing point of
CSP, furthermore, I'd like to have ?query whitelisted too!

We should patch the whole right where it happens - leakage. We should make
it impossible to detect whether CSP has blocked a resource. Fake
width/height of images, fire onload events, just like nothing happened.

How XSS-Auditor did -  There was a bug with about:blank redirection - now
it redirects to unique data:url, which is supposed to make detection
impossible. Although it's possible again because of #hash detection and the
CSP detection we are talking about right now, but idea is to make detection
impossible, not to cut CSP's functionality.

Btw
>reverse clickjacking

you would need to create a javascript:... link first, right? Is it even
possible in normal situations?
I'd rather use https://www.google.com/jsapi?callback=form_name.submit

Received on Wednesday, 12 February 2014 14:17:21 UTC