Re: Remove paths from CSP?

On Thu, Feb 27, 2014 at 12:59 AM, Sigbjørn Vik <> wrote:

> On 26-Feb-14 18:40, Michal Zalewski wrote:
> >> Protecting against side channels from image and script loads is trivial
> >> for web sites which care.
> >
> > I'm not sure I agree with this?
> Static resources such as images and scripts don't need login protection,
> and can be served identically to logged-in and not logged-in users.

What about a stock photography site that only wants to provide access to
high resolution, watermark-free images to those who have paid for them?
 What about a games site that only allows logged in users access to their
javascript games?

It may be true in many cases that images and scripts don't need login
protection, but I don't think it's true in all cases.

Received on Friday, 28 February 2014 00:53:07 UTC