Re: Remove paths from CSP?

On 25-Feb-14 19:43, Michal Zalewski wrote:
>> Personally, I consider any
>> solution which instantly reveals logged-in status on such services
>> to be a security flaw, and a non-starter.
>
> I disagree that it offers a unique opportunity for login
> state detection on the modern web: measuring the side effects of image
> and script loads works for pretty much every major destination on the
> web.

I don't think anyone has claimed this is a unique opportunity.

Let me repeat myself: That an exploit works against many sites, is not a
valid argument to build that security hole into browsers by default.
Protecting against side channels from image and script loads is trivial
for web sites which care. There might not be many of them (today), but
removing the possibility to protect websites is not good security practice.

> I do agree with Mike that preventing sites from being able to measure
> if a CSP-governed resource load succeeded or failed to load is nearly
> impossible to accomplish without essentially rewriting the browsers
> from scratch.

I don't think anyone has suggested we do this though.

My suggestion is that browsers pretend the resource loaded. E.g. CORS
and XHR have lots of behaviour just like this, where the real state of
the load attempt is never revealed to the document. Copying such
features across to CSP hardly seems impossible.

I have still to see a single argument of something which would be hard
to implement in such a solution, all I have seen is generic fear and
uncertainty.

-- 
Sigbjørn Vik
Opera Software

Received on Wednesday, 26 February 2014 10:15:07 UTC