W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Fri, 28 Feb 2014 11:49:25 +0100
Message-ID: <531069B5.6000807@opera.com>
To: "Oda, Terri" <terri.oda@intel.com>
CC: Michal Zalewski <lcamtuf@coredump.cx>, Mike West <mkwst@google.com>, Dan Veditz <dveditz@mozilla.com>, Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Eduardo' Vela <evn@google.com>
On 28-Feb-14 01:52, Oda, Terri wrote:
>     Static resources such as images and scripts don't need login protection,
>     and can be served identically to logged-in and not logged-in users.
> 
> What about a stock photography site that only wants to provide access to
> high resolution, watermark-free images to those who have paid for them?
>  What about a games site that only allows logged in users access to
> their javascript games?
> 
> It may be true in many cases that images and scripts don't need login
> protection, but I don't think it's true in all cases.

Agreed. My point is that it is true in many cases, and that in such
cases, CSP may enable a security hole on an otherwise secure site.

-- 
Sigbjørn Vik
Opera Software
Received on Friday, 28 February 2014 10:49:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC