Re: Remove paths from CSP?

From: Daniel Veditz <dveditz@mozilla.com>
> I'm not too concerned about CSP being used to determine if someone is
> logged in to a particular site or not, because timing attacks are good
> enough to figure that out for most sites already.

That many sites have an existing security hole is not an argument to
build this security hole into browsers by default.

If it were, we might as well make XSS a browser feature, as most
websites can be exploited already. Sites which care, can protect against
both logged-in-detection attacks and XSS, but no longer if these attacks
get built into browsers. Regardless of how much logged-in-detection
attacks are used today, they might be more or less serious tomorrow,
with new technologies. We need to plan for all eventualities.

-- 
Sigbjørn Vik
Opera Software

Received on Friday, 14 February 2014 08:53:43 UTC