W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Mon, 29 Sep 2014 10:01:01 -0400
Message-ID: <5429661D.2070500@fifthhorseman.net>
To: Anne van Kesteren <annevk@annevk.nl>, Ryan Sleevi <sleevi@google.com>
CC: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>
On 09/27/2014 02:54 AM, Anne van Kesteren wrote:
> On Sat, Sep 27, 2014 at 8:36 AM, Ryan Sleevi <sleevi@google.com> wrote:
>> Plus the request itself will have already leaked the salient details.
> How so?

consider trying to protect a cookie set for foo.example.  the website
sends HSTS headers, but it sloppy and hasn't set the secure flag on the

If an attacker in control of http://bar.example can include <img
src="http://foo.example/image.png"/>  and the client is willing to fetch
it without acting on its HSTS knowledge about foo.example, then it will
leak the cookie to any attacker observing the network.


Received on Monday, 29 September 2014 14:01:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC