- From: Sigbjørn Vik <sigbjorn@opera.com>
- Date: Thu, 05 Jun 2014 15:03:37 +0200
- To: Mike West <mkwst@google.com>
- CC: Daniel Veditz <dveditz@mozilla.com>, Joel Weinberger <jww@chromium.org>, "Oda, Terri" <terri.oda@intel.com>, Michal Zalewski <lcamtuf@coredump.cx>, Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Eduardo' Vela <evn@google.com>
On 05-Jun-14 14:52, Mike West wrote: >> CSP-warning-header: "If you redirect, you might leak the >> redirected-to URL to evil.com, so don't redirect if you don't want >> to risk this" > > Could we simplify this to a header which made it clear that the request > was cross-origin? Would that bit of information be enough, or do we need > to pass in the complete host `evil.com <http://evil.com>`? The header is presumably only needed on cross-origin requests (presumably only cross-private-suffix requests), so that would be fine. There is no need to include the origin, if a site would want to whitelist some origins, it can do so by having the origin include an authorization token in the query parameters instead. > I don't really want to put the current URL (or origin) into a request > header if we can avoid it; that would negate the ability of the > `referrer` directive to suppress referrer information completely for > sensitive resources. Good point. Although these are inlines specifically requested by the page itself, so not entirely certain if the caution is really needed. -- Sigbjørn Vik Opera Software
Received on Thursday, 5 June 2014 13:04:11 UTC