W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: Remove paths from CSP?

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Thu, 05 Jun 2014 15:03:37 +0200
Message-ID: <53906AA9.2090601@opera.com>
To: Mike West <mkwst@google.com>
CC: Daniel Veditz <dveditz@mozilla.com>, Joel Weinberger <jww@chromium.org>, "Oda, Terri" <terri.oda@intel.com>, Michal Zalewski <lcamtuf@coredump.cx>, Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Eduardo' Vela <evn@google.com>
On 05-Jun-14 14:52, Mike West wrote:

>> CSP-warning-header: "If you redirect, you might leak the
>> redirected-to URL to evil.com, so don't redirect if you don't want
>> to risk this"
>
> Could we simplify this to a header which made it clear that the request
> was cross-origin? Would that bit of information be enough, or do we need
> to pass in the complete host `evil.com <http://evil.com>`?

The header is presumably only needed on cross-origin requests
(presumably only cross-private-suffix requests), so that would be fine.
There is no need to include the origin, if a site would want to
whitelist some origins, it can do so by having the origin include an
authorization token in the query parameters instead.

> I don't really want to put the current URL (or origin) into a request
> header if we can avoid it; that would negate the ability of the
> `referrer` directive to suppress referrer information completely for
> sensitive resources.

Good point. Although these are inlines specifically requested by the
page itself, so not entirely certain if the caution is really needed.

-- 
Sigbjørn Vik
Opera Software
Received on Thursday, 5 June 2014 13:04:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC