Re: Remove paths from CSP?

On 2/24/2014 5:50 AM, Mike West wrote:
> Egor's suggestion is a variant of B: only consider the first URL when
> processing source expressions with a path, while continuing to apply
> path-less source expressions to redirects.
> That is, `script-src`
> would block ->`, but allow
> ->
> The latter seems an unlikely enough risk to be worth accepting.

I don't understand the proposal and example. Why is the first one 
blocked? Isn't a pathless match for Is the 
second one allowed because it's same-origin?

>     c) Don't leak cross domain information to the originator. (Remove
>     report-uri, and pretend the resource loaded as normal.)
>     Pro: Removes all leakage.
>     Con: Removes debugging features. The most complex to implement.
> Honestly, I don't believe that C is implementable. There are too many
> side channels.

I agree for the second part (pretend it loaded), but we could do the 
first (don't report on blocked redirects) if reporting anything at 
all--like the original in-page URL--is considered too revealing.

-Dan Veditz

Received on Tuesday, 25 February 2014 19:50:46 UTC