- From: Sigbjørn Vik <sigbjorn@opera.com>
- Date: Mon, 02 Jun 2014 16:33:13 +0200
- To: Mike West <mkwst@google.com>
- CC: Daniel Veditz <dveditz@mozilla.com>, Joel Weinberger <jww@chromium.org>, "Oda, Terri" <terri.oda@intel.com>, Michal Zalewski <lcamtuf@coredump.cx>, Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Eduardo' Vela <evn@google.com>
So summing up (or we can keep going forever :) We agree that CSP opens up some new possibilities for redirection detection. Using 403's to protect against this will work in some cases. Reporting may possibly be solved in other ways. Developers accidentally shooting themselves in the foot may largely be solved by disallowing redirects by default. We disagree about the relative threat scenario, but neither has hard data. > What new forms of side channel leakage do you foresee? > > Nothing new, just the same old wonderfulness. [...] If there are no new attacks, I don't see that as an argument against blanking out disallowed loads, and proceeding as normal. Data exfiltration protection does not seem like a strong argument against this either, at least not in its current (weak) form. -- Sigbjørn Vik Opera Software
Received on Monday, 2 June 2014 14:33:45 UTC