Re: Remove paths from CSP?

On Tue, May 20, 2014 at 3:17 PM, Mike West <mkwst@google.com> wrote:
> On Tue, May 20, 2014 at 2:55 PM, Sigbjørn Vik <sigbjorn@opera.com> wrote:
>> * It doesn't resolve redirection login detection, which may add a new
>> security hole to previously secure sites, one against which sites cannot
>> protect themselves.
>
> I disagree that this is a unique consequence of CSP's behavior (as we've
> discussed at length), but I do agree that CSP makes this detection for those
> sites that do cross-origin easier than it is now.

Is this explained somewhere? So far we've made quite an effort to make
redirects atomic from an API's perspective.


>> * It thus adds an unfixable security issue for the foreseeable future
>> for all web sites. This might theoretically hinder the web moving
>> forwards in the future.
>
> For the subset of all websites that do cross-origin login (e.g. google.com
> -> accounts.google.com).

Sites delegating login seems pretty common these days.


-- 
http://annevankesteren.nl/

Received on Tuesday, 20 May 2014 13:38:08 UTC