W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 26 Sep 2014 19:45:54 +0200
Message-ID: <CADnb78idQmpW-QcGLOqOXCfMHpWSEjZ8NUSg63h856XJcm-piA@mail.gmail.com>
To: Tanvi Vyas <tanvi@mozilla.com>
Cc: Mike West <mkwst@google.com>, Ryan Sleevi <sleevi@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Fri, Sep 26, 2014 at 7:22 PM, Tanvi Vyas <tanvi@mozilla.com> wrote:
> Regardless of how HSTS and mixed content interact, the problem Anne
> describes can still exist on an http non-HSTS page.  The http page can embed
> <img src=http://hsts-target.example/ onload=visited() onerror=notvisited()>
> and Mixed Content Blocker would never be invoked to prevent the http page
> from discovering whether the user has visited the target page.

The attack is not through mixed content and is not about whether or
not HSTS is used on the attacker page.

Received on Friday, 26 September 2014 17:46:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC