W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: Remove paths from CSP?

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Mon, 02 Jun 2014 16:33:13 +0200
Message-ID: <538C8B29.6040505@opera.com>
To: Mike West <mkwst@google.com>
CC: Daniel Veditz <dveditz@mozilla.com>, Joel Weinberger <jww@chromium.org>, "Oda, Terri" <terri.oda@intel.com>, Michal Zalewski <lcamtuf@coredump.cx>, Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Eduardo' Vela <evn@google.com>
So summing up (or we can keep going forever :)

We agree that CSP opens up some new possibilities for redirection
detection. Using 403's to protect against this will work in some cases.

Reporting may possibly be solved in other ways.

Developers accidentally shooting themselves in the foot may largely be
solved by disallowing redirects by default.

We disagree about the relative threat scenario, but neither has hard data.

>     What new forms of side channel leakage do you foresee?
> Nothing new, just the same old wonderfulness. [...]

If there are no new attacks, I don't see that as an argument against
blanking out disallowed loads, and proceeding as normal.

Data exfiltration protection does not seem like a strong argument
against this either, at least not in its current (weak) form.

Sigbjørn Vik
Opera Software
Received on Monday, 2 June 2014 14:33:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC