W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: Mike West <mkwst@google.com>
Date: Fri, 26 Sep 2014 14:15:35 +0200
Message-ID: <CAKXHy=dj3nzjDRRdg1y5j2wji9oapcGwoz-JWnztSYMi=P79Og@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
Yes, I think that's true.

I've been thinking about this in other contexts as well, CSP is only one of
several ways in which onload/onerror events for images can cause problems.
It might be worth looking into whether or not its web-compatible to stop
firing those events. Or always fire onload, regardless of status (you'd
still be able to check `naturalWidth/Height` though, so I'm not sure how
much that buys us).


Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Fri, Sep 26, 2014 at 2:11 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Sep 26, 2014 at 1:55 PM, Mike West <mkwst@google.com> wrote:
> > What's the attack you're considering?
> E.g. if you know about an image on a domain you could check with
> <img src=http://target.example/ onload=visited() onerror=notvisited()>
> due to client-side HSTS rewriting and the recommend setup of port 80
> redirecting to 443.
> --
> https://annevankesteren.nl/
Received on Friday, 26 September 2014 12:16:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC