W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Wed, 26 Feb 2014 11:15:50 +0100
Message-ID: <530DBED6.70400@opera.com>
To: Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>
CC: Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Michal Zalewski <lcamtuf@google.com>, Eduardo' Vela <evn@google.com>
On 25-Feb-14 22:13, Daniel Veditz wrote:
>> For services such as gmail and hotmail, the login happens on a
>> different domain than the service. This is an extremely common setup,
>> including on high value targets
>
> This is NOT common, but unfortunately it is used on some high-traffic
> (likely high value) domains.

Websites which have one login, and multiple subdomains IS extremely
common. I consider this fortunate, and good security practice.

> You can't make everything equally fast so you must make things equally
> slow, and these days browsers are competing in part on speed. There's
> no way Mike (Google) or I (Mozilla) could sell that to our respective
> browser engine teams.

I think we have uncovered a misunderstanding here. Browsers should
definitely not slow down, and browsers should not protect websites from
timing attacks. Browsers need to support websites protecting themselves
though, and not purposefully hand over private information to third
party websites.

I fully agree that any suggestion that browsers should do things more
slowly would be a non-starter.

-- 
Sigbjørn Vik
Opera Software
Received on Wednesday, 26 February 2014 10:16:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC