Re: Redirects and HSTS from Daniel Kahn Gillmor on 2014-09-29 (public-webappsec@w3.org from September 2014)

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Mon, 29 Sep 2014 10:01:01 -0400
To: Anne van Kesteren <annevk@annevk.nl>, Ryan Sleevi <sleevi@google.com>
CC: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <5429661D.2070500@fifthhorseman.net>

On 09/27/2014 02:54 AM, Anne van Kesteren wrote:
> On Sat, Sep 27, 2014 at 8:36 AM, Ryan Sleevi <sleevi@google.com> wrote:
>> Plus the request itself will have already leaked the salient details.
> 
> How so?

consider trying to protect a cookie set for foo.example.  the website
sends HSTS headers, but it sloppy and hasn't set the secure flag on the
cookie.

If an attacker in control of http://bar.example can include <img
src="http://foo.example/image.png"/>  and the client is willing to fetch
it without acting on its HSTS knowledge about foo.example, then it will
leak the cookie to any attacker observing the network.

 --dkg

Received on Monday, 29 September 2014 14:01:40 UTC