- From: Sigbjørn Vik <sigbjorn@opera.com>
- Date: Fri, 14 Feb 2014 09:53:09 +0100
- To: public-webappsec@w3.org
From: Daniel Veditz <dveditz@mozilla.com> > I'm not too concerned about CSP being used to determine if someone is > logged in to a particular site or not, because timing attacks are good > enough to figure that out for most sites already. That many sites have an existing security hole is not an argument to build this security hole into browsers by default. If it were, we might as well make XSS a browser feature, as most websites can be exploited already. Sites which care, can protect against both logged-in-detection attacks and XSS, but no longer if these attacks get built into browsers. Regardless of how much logged-in-detection attacks are used today, they might be more or less serious tomorrow, with new technologies. We need to plan for all eventualities. -- Sigbjørn Vik Opera Software
Received on Friday, 14 February 2014 08:53:43 UTC