Re: Remove paths from CSP?

So summing up (or we can keep going forever :)

We agree that CSP opens up some new possibilities for redirection
detection. Using 403's to protect against this will work in some cases.

Reporting may possibly be solved in other ways.

Developers accidentally shooting themselves in the foot may largely be
solved by disallowing redirects by default.

We disagree about the relative threat scenario, but neither has hard data.

>     What new forms of side channel leakage do you foresee?
> 
> Nothing new, just the same old wonderfulness. [...]

If there are no new attacks, I don't see that as an argument against
blanking out disallowed loads, and proceeding as normal.

Data exfiltration protection does not seem like a strong argument
against this either, at least not in its current (weak) form.

-- 
Sigbjørn Vik
Opera Software

Received on Monday, 2 June 2014 14:33:45 UTC