W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: Remove paths from CSP?

From: Mike West <mkwst@google.com>
Date: Thu, 5 Jun 2014 13:03:35 +0200
Message-ID: <CAKXHy=ehPi=RG_Z8_vhGeq2AAY3kRAQM0qfpTuUTyu9Z1nOgSw@mail.gmail.com>
To: Sigbjørn Vik <sigbjorn@opera.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, Joel Weinberger <jww@chromium.org>, "Oda, Terri" <terri.oda@intel.com>, Michal Zalewski <lcamtuf@coredump.cx>, Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "Eduardo' Vela" <evn@google.com>
On Tue, Jun 3, 2014 at 11:32 AM, Sigbjørn Vik <sigbjorn@opera.com> wrote:

> Images can normally be served static from a site, so is not the main
>  problem, and no different than the existing problem. For documents, the
> question is if the "blank" page can be distinguished from the normal
> login page.


Leaving images aside (because you're right, they prove too much) the sorts
of attacks detailed in
http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf would still
worry me.


> For a suitable definition of "blank", this should be hard,
> and it should be possible for webmasters to make their login pages look
> just like the "blank" page to further minimize that chance.
>

I think I'm missing this point. A blank login page would be not
particularly useful. What does "blank" mean to you? :)


> One of my concerns is that we will open a new hole which webmasters
> cannot close. A solution might be to add a CSP HTTP header when doing
> cross-domain requests which may be used for redirection detection. This
> would enable webmasters so inclined to detect such requests, and always
> give the same response.


Interesting. How does this work?

Assume that `evil.com` triggers a request to `example.com/loggedin` (which
redirects to `accounts.example.com`). What would be sent in the header
along with the request to `example.com`? The active policy of the page
requesting the resource?

Does that have properties significantly different from the `Referer` or
`Origin` headers?

-mike
Received on Thursday, 5 June 2014 11:04:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC