On Thu, Jun 5, 2014 at 2:11 PM, Sigbjørn Vik <sigbjorn@opera.com> wrote:
> Alternatively, our "blank" page might be what is returned by a 200
> response on an authentication-less (e.g. no cookies) requests to the
> same URL. (To avoid timing attacks on the response time, that request
> would have to be fired off simultaneously, so this might increase
> traffic, unless we have good heuristics for when to use it.)
>
That sounds like a lot of overhead. We'd basically request every resource
twice.
> Referer is optional, and doesn't happen on https, and Origin only on
> CORS. Referer doesn't say anything about inline or not (Origin implies
> inline resource). An "Is-inline-element-on-embedding-URL: evil.com"
> header might achieve the same (which is essentially an Origin header
> applied to CSP-controlled requests).
>
Could we simplify this to a header which made it clear that the request was
cross-origin? Would that bit of information be enough, or do we need to
pass in the complete host `evil.com`?
I don't really want to put the current URL (or origin) into a request
header if we can avoid it; that would negate the ability of the `referrer`
directive to suppress referrer information completely for sensitive
resources.
-mike