W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: Remove paths from CSP?

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Thu, 05 Jun 2014 15:03:37 +0200
Message-ID: <53906AA9.2090601@opera.com>
To: Mike West <mkwst@google.com>
CC: Daniel Veditz <dveditz@mozilla.com>, Joel Weinberger <jww@chromium.org>, "Oda, Terri" <terri.oda@intel.com>, Michal Zalewski <lcamtuf@coredump.cx>, Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Eduardo' Vela <evn@google.com>
On 05-Jun-14 14:52, Mike West wrote:

>> CSP-warning-header: "If you redirect, you might leak the
>> redirected-to URL to evil.com, so don't redirect if you don't want
>> to risk this"
> Could we simplify this to a header which made it clear that the request
> was cross-origin? Would that bit of information be enough, or do we need
> to pass in the complete host `evil.com <http://evil.com>`?

The header is presumably only needed on cross-origin requests
(presumably only cross-private-suffix requests), so that would be fine.
There is no need to include the origin, if a site would want to
whitelist some origins, it can do so by having the origin include an
authorization token in the query parameters instead.

> I don't really want to put the current URL (or origin) into a request
> header if we can avoid it; that would negate the ability of the
> `referrer` directive to suppress referrer information completely for
> sensitive resources.

Good point. Although these are inlines specifically requested by the
page itself, so not entirely certain if the caution is really needed.

Sigbjørn Vik
Opera Software
Received on Thursday, 5 June 2014 13:04:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC