On Tue, Jun 3, 2014 at 11:32 AM, Sigbjørn Vik <sigbjorn@opera.com> wrote: > Images can normally be served static from a site, so is not the main > problem, and no different than the existing problem. For documents, the > question is if the "blank" page can be distinguished from the normal > login page. Leaving images aside (because you're right, they prove too much) the sorts of attacks detailed in http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf would still worry me. > For a suitable definition of "blank", this should be hard, > and it should be possible for webmasters to make their login pages look > just like the "blank" page to further minimize that chance. > I think I'm missing this point. A blank login page would be not particularly useful. What does "blank" mean to you? :) > One of my concerns is that we will open a new hole which webmasters > cannot close. A solution might be to add a CSP HTTP header when doing > cross-domain requests which may be used for redirection detection. This > would enable webmasters so inclined to detect such requests, and always > give the same response. Interesting. How does this work? Assume that `evil.com` triggers a request to `example.com/loggedin` (which redirects to `accounts.example.com`). What would be sent in the header along with the request to `example.com`? The active policy of the page requesting the resource? Does that have properties significantly different from the `Referer` or `Origin` headers? -mike
Received on Thursday, 5 June 2014 11:04:23 UTC