Re: Remove paths from CSP?

On 05-Jun-14 14:52, Mike West wrote:

>> CSP-warning-header: "If you redirect, you might leak the
>> redirected-to URL to, so don't redirect if you don't want
>> to risk this"
> Could we simplify this to a header which made it clear that the request
> was cross-origin? Would that bit of information be enough, or do we need
> to pass in the complete host ` <>`?

The header is presumably only needed on cross-origin requests
(presumably only cross-private-suffix requests), so that would be fine.
There is no need to include the origin, if a site would want to
whitelist some origins, it can do so by having the origin include an
authorization token in the query parameters instead.

> I don't really want to put the current URL (or origin) into a request
> header if we can avoid it; that would negate the ability of the
> `referrer` directive to suppress referrer information completely for
> sensitive resources.

Good point. Although these are inlines specifically requested by the
page itself, so not entirely certain if the caution is really needed.

Sigbjørn Vik
Opera Software

Received on Thursday, 5 June 2014 13:04:11 UTC