- From: Sigbjørn Vik <sigbjorn@opera.com>
- Date: Tue, 20 May 2014 16:18:16 +0200
- To: Mike West <mkwst@google.com>
- CC: Joel Weinberger <jww@chromium.org>, "Oda, Terri" <terri.oda@intel.com>, Michal Zalewski <lcamtuf@coredump.cx>, Dan Veditz <dveditz@mozilla.com>, Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Eduardo' Vela <evn@google.com>
On 20-May-14 15:17, Mike West wrote: > * It doesn't resolve redirection login detection, which may add a new > security hole to previously secure sites, one against which sites cannot > protect themselves. > > I disagree that this is a unique consequence of CSP's behavior (as we've > discussed at length) Then we agree, I don't think it is unique either. Sites can create this hole in other ways too, many already have. Though sites which do not currently have this hole (previously secure sites), may now get it. > * It thus adds an unfixable security issue for the foreseeable future > for all web sites. This might theoretically hinder the web moving > forwards in the future. > > For the subset of all websites that do cross-origin login (e.g. > google.com <http://google.com> -> accounts.google.com > <http://accounts.google.com>). Saying "all" is, as you point out, an overstatement, my apologies. What I meant is that all sites must keep it in mind and watch out for it. The cross origin loads do not need to be logins though, other types of redirects can also be vulnerable. E.g. forum.org automatically redirecting me to my most used forum, whether that be gay.forum.org, breast-cancer.forum.org or al-quaeda.forum.org. (Apologies for getting you all flagged in NSA's database.) > * It doesn't fully support the path construct (doesn't work after > redirects). > > True. Do you have a suggestion to avoid this limitation? Not with this solution. The alternative solution of removing error reporting would avoid this. > * It is confusing and complex for webmasters (and as they vastly > outnumber browser developers, it is the most confusing and complex > solution overall). > > Is it? The rule sounds simple: "The path component of a source > expression always matches after a redirect." I agree with you that it > adds some marginal complexity to CSP, but let's not kid ourselves: CSP > is already horrendous. I thought this change was that the path components will be ignored after redirects, maybe I don't understand your quote? Either way, we are already confusing each other ;) CSP is horrendous, this will make it horrendouser... And we are outsourcing the understanding to third parties (webmasters), given their numbers, even marginal changes can have a huge impact. > * It provides a false sense of security to webmasters. A webmaster might > accidentally open a hole when trying to tighten security, or an > unrelated change elsewhere (e.g. changes to use a redirect) might render > a site insecure. > > At worst, the protection offered to developers and users is exactly the > CSP 1.0, origin-based protection that Opera is providing right now. I > think that's a pretty good baseline, honestly. Touche! I am personally not happy with the current protection offered by Opera though. And the current confusion/false sense of security regarding Opera is that we are not following the spec. The proposed spec change will make the complexity part of the spec itself, so I do think it is worse. However, I do not think I will be able to convince you to support the alternative proposal of dropping error reporting instead, even if that from a security point of view is better. And I don't think you will be able to convince me that this tradeoff is for the better of the web. If you have questions or want clarifications, I will be happy to provide them, but for you and me to discuss the finer points any further does not seem to bring much benefit. I seem to have failed to garner any vocal support for my point of view from other members too. I wanted to state that I am still opposed to this solution, but if this otherwise is the consensus of the working group, I will not hold it up, and will instead attempt to give constructive feedback on this solution. -- Sigbjørn Vik Opera Software
Received on Tuesday, 20 May 2014 14:18:47 UTC