Re: Remove paths from CSP? from Oda, Terri on 2014-02-28 (public-webappsec@w3.org from February 2014)

From: Oda, Terri <terri.oda@intel.com>
Date: Thu, 27 Feb 2014 16:52:37 -0800
To: Sigbjørn Vik <sigbjorn@opera.com>
Cc: Michal Zalewski <lcamtuf@coredump.cx>, Mike West <mkwst@google.com>, Dan Veditz <dveditz@mozilla.com>, Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "Eduardo' Vela" <evn@google.com>
Message-ID: <CACoC0R-wkGk82yYYPBQd0XnejeGQ-J7e6ObA+6XTPpq9WO_eSQ@mail.gmail.com>

On Thu, Feb 27, 2014 at 12:59 AM, Sigbjørn Vik <sigbjorn@opera.com> wrote:

> On 26-Feb-14 18:40, Michal Zalewski wrote:
> >> Protecting against side channels from image and script loads is trivial
> >> for web sites which care.
> >
> > I'm not sure I agree with this?
>
> Static resources such as images and scripts don't need login protection,
> and can be served identically to logged-in and not logged-in users.

What about a stock photography site that only wants to provide access to
high resolution, watermark-free images to those who have paid for them?
 What about a games site that only allows logged in users access to their
javascript games?

It may be true in many cases that images and scripts don't need login
protection, but I don't think it's true in all cases.

Received on Friday, 28 February 2014 00:53:07 UTC