- From: Sigbjørn Vik <sigbjorn@opera.com>
- Date: Wed, 19 Feb 2014 10:05:23 +0100
- To: public-webappsec@w3.org
From: Daniel Veditz <dveditz@mozilla.com> > I think I'm lost... how does this relate to phishing? Being able to detect which websites a user has visited, which websites a user is logged in to, and which user name a user has on that website makes phishing a lot easier and a lot more convincing. This even applies to spam mail, if a user clicks a link, and the resulting page can know the user name on a social site, along with any public information, that resulting page can be tailored to the user. > I can't agree that that phishing is worse than XSS There is really no comparison if you look at the statistics, phishing is a lot worse than XSS. One of the links below states that "91% of breaches are attributable to spear phishing". Not that you should believe that number by itself, feel free to do your own research - that number also includes non web related phishing. If you can provide some links to research that shows that XSS is a larger threat to companies than phishing, I'd be happy to reconsider my stance. >From an earlier post: [1] http://www.scmagazine.com/phishing-remains-most-reliable-cyber-fraud-mechanism/article/248998/ [1] http://www.proofpoint.com/uk/topten/index-roi.php [2] http://www.invincea.com/wp-content/uploads/Invincea-spear-phishing-watering-hole-drive-by-whitepaper-5.17.13.pdf > What is the "almost identical solution... without the tradeoff"? Don't leak information. Remove report-uri, and pretend the resource loaded as normal. Keep paths, as this thread has shown, they are already being put to good use. But you are right, this is a long thread, so let me attempt to summarize: As currently specced, redirection paths can leak cross domain. This may leak logged-in status and user names. There are at least three proposals to fix this: a) Remove paths. Pro: This removes the worst offender. Con: Redirection domains are still leaked. This removes a useful feature. b) Only consider the first URL, do not block resources based on the redirected-to URLs. Pro: Removes all leakage. Con: Lots of open redirects exist, any such allowed by CSP would render the protection useless. c) Don't leak cross domain information to the originator. (Remove report-uri, and pretend the resource loaded as normal.) Pro: Removes all leakage. Con: Removes debugging features. The most complex to implement. -- Sigbjørn Vik Opera Software
Received on Wednesday, 19 February 2014 09:08:24 UTC