Re: Remove paths from CSP? from Pete Freitag on 2014-02-14 (public-webappsec@w3.org from February 2014)

From: Pete Freitag <pete@foundeo.com>
Date: Fri, 14 Feb 2014 15:14:42 -0500
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Sigbjørn Vik <sigbjorn@opera.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAADZ8V6NRvb1OTaUZS7ywpjcdujvbmHUugki_6O3FR1r4=txsg@mail.gmail.com>

On Fri, Feb 14, 2014 at 2:02 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> Are there alternative where we can have both the CSP security
>  improvements and avoid the "hole" altogether, or minimize the damage?
>

If the browser sent a header which included the element name (img, frame,
style, script, etc) that triggered the request, that may minimize the
concern for some cases, eg:

X-Requested-With: img

That way resources that are not legitimately requested via an img tag for
example can block/ignore the request.

--
Pete Freitag

Received on Friday, 14 February 2014 20:15:30 UTC