W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Pete Freitag <pete@foundeo.com>
Date: Fri, 14 Feb 2014 15:14:42 -0500
Message-ID: <CAADZ8V6NRvb1OTaUZS7ywpjcdujvbmHUugki_6O3FR1r4=txsg@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Sigbjørn Vik <sigbjorn@opera.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Feb 14, 2014 at 2:02 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> Are there alternative where we can have both the CSP security
>  improvements and avoid the "hole" altogether, or minimize the damage?
>

If the browser sent a header which included the element name (img, frame,
style, script, etc) that triggered the request, that may minimize the
concern for some cases, eg:

X-Requested-With: img

That way resources that are not legitimately requested via an img tag for
example can block/ignore the request.

--
Pete Freitag
Received on Friday, 14 February 2014 20:15:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC