W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Mon, 29 Sep 2014 10:01:01 -0400
Message-ID: <5429661D.2070500@fifthhorseman.net>
To: Anne van Kesteren <annevk@annevk.nl>, Ryan Sleevi <sleevi@google.com>
CC: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>
On 09/27/2014 02:54 AM, Anne van Kesteren wrote:
> On Sat, Sep 27, 2014 at 8:36 AM, Ryan Sleevi <sleevi@google.com> wrote:
>> Plus the request itself will have already leaked the salient details.
> 
> How so?

consider trying to protect a cookie set for foo.example.  the website
sends HSTS headers, but it sloppy and hasn't set the secure flag on the
cookie.

If an attacker in control of http://bar.example can include <img
src="http://foo.example/image.png"/>  and the client is willing to fetch
it without acting on its HSTS knowledge about foo.example, then it will
leak the cookie to any attacker observing the network.

	--dkg


Received on Monday, 29 September 2014 14:01:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC