Re: Remove paths from CSP?

On 05-Jun-14 14:52, Mike West wrote:

>> CSP-warning-header: "If you redirect, you might leak the
>> redirected-to URL to evil.com, so don't redirect if you don't want
>> to risk this"
>
> Could we simplify this to a header which made it clear that the request
> was cross-origin? Would that bit of information be enough, or do we need
> to pass in the complete host `evil.com <http://evil.com>`?

The header is presumably only needed on cross-origin requests
(presumably only cross-private-suffix requests), so that would be fine.
There is no need to include the origin, if a site would want to
whitelist some origins, it can do so by having the origin include an
authorization token in the query parameters instead.

> I don't really want to put the current URL (or origin) into a request
> header if we can avoid it; that would negate the ability of the
> `referrer` directive to suppress referrer information completely for
> sensitive resources.

Good point. Although these are inlines specifically requested by the
page itself, so not entirely certain if the caution is really needed.

-- 
Sigbjørn Vik
Opera Software

Received on Thursday, 5 June 2014 13:04:11 UTC