- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Sat, 8 Nov 2014 15:45:00 -0800
- To: Jim Manico <jim.manico@owasp.org>
- Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, "eisinger@google.com" <eisinger@google.com>
Well, theoretically, yes. In practice, usability sometimes trumps that due to user demand. "Anyone with a link" is a sharing model used by quite a few services, since the alternative (forcing all participants of a chat or all collaborators on a document) to register with a particular website, log in, and have explicit ACLs created... well, often isn't all that great. /mz On Sat, Nov 8, 2014 at 3:22 PM, Jim Manico <jim.manico@owasp.org> wrote: > Please forgive my (continued) ignorance, but isn't keeping secrets out > of GET requests the law of the land for secure web application > development? > > Aloha, > -- > Jim Manico > @Manicode > (808) 652-3805 > >> On Nov 9, 2014, at 6:48 AM, Michal Zalewski <lcamtuf@coredump.cx> wrote: >> >> Thinking a bit more about this: it's probably more reasonable if >> you're hoping to safeguard tokens from ending up in various Referer >> analytics reports for unrelated parts of the site (the access to which >> may be delegated to people who have no interest in seeing the URLs). >> >> I still feel that if we're adding so much complexity to the directive, >> we should probably just bite the bullet and allow people to specify >> policies for domains in a CSP fashion, i.e., detailed referrer goes to >> *.google.com, *.google.com.pl, *.facebook.com/foo, origin referrer >> goes to *, etc. It would let people use analytics across multi-domain >> properties while reaping the benefits of a safe default for the rest >> of the Internet. >> >> /mz >>
Received on Saturday, 8 November 2014 23:45:47 UTC