W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Fri, 14 Feb 2014 09:53:09 +0100
Message-ID: <52FDD975.50103@opera.com>
To: public-webappsec@w3.org
From: Daniel Veditz <dveditz@mozilla.com>
> I'm not too concerned about CSP being used to determine if someone is
> logged in to a particular site or not, because timing attacks are good
> enough to figure that out for most sites already.

That many sites have an existing security hole is not an argument to
build this security hole into browsers by default.

If it were, we might as well make XSS a browser feature, as most
websites can be exploited already. Sites which care, can protect against
both logged-in-detection attacks and XSS, but no longer if these attacks
get built into browsers. Regardless of how much logged-in-detection
attacks are used today, they might be more or less serious tomorrow,
with new technologies. We need to plan for all eventualities.

-- 
Sigbjørn Vik
Opera Software
Received on Friday, 14 February 2014 08:53:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC