W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Mike West <mkwst@google.com>
Date: Wed, 12 Feb 2014 15:43:12 +0100
Message-ID: <CAKXHy=frx-Qvz2241sE=xyzpM3v=Ypk4u=+9N_=SMDuDRj+PSQ@mail.gmail.com>
To: Egor Homakov <homakov@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Feb 12, 2014 at 11:55 AM, Egor Homakov <homakov@gmail.com> wrote:

> Author of the article here :) I believe killing paths is killing point of
> CSP, furthermore, I'd like to have ?query whitelisted too!
>

Really?

Neither GitHub nor Facebook use paths in their policies today. I don't
actually know of any service making use of the feature. I'd be happy to be
wrong about that if someone has examples.


> We should patch the whole right where it happens - leakage. We should make
> it impossible to detect whether CSP has blocked a resource. Fake
> width/height of images, fire onload events, just like nothing happened.
>

As noted in the last email, I don't honestly think this is possible.

-mike
Received on Wednesday, 12 February 2014 14:44:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC