- From: 寒蕊 <hanrui.gao@gmail.com>
- Date: Fri, 15 May 2015 18:57:36 +0800
- To: public-webappsec@w3.org
- Message-ID: <CADX+jqw-P2jAUmWzgMZK=TLxX9Eze1sYdnYBthb-nM7QPSO0eA@mail.gmail.com>
Hey guys, I am really confused by the use case that listed in the CSP3 doc[ https://w3c.github.io/webappsec/specs/content-security-policy/#csp-request-header ]. Let me cite the use case here: Note: The central reason for including this header is that it hints to a server that information about redirects might be leaked as a side-effect of a page’s active policy. If this header is present, a server might decline to redirect a logged-out user from example.com toaccounts.example.com, for example, as a malicious embedder might otherwise be able to determine the user’s logged-in status. I could not understand that if the embedder is malicious, why would it contain such an CSP header? I think if the embedder wants to get some important information (like log-in status) of another site, it can just drop the CSP header of itself, so that the browser would not send any resource request with the CSP request header. Any comments? Thanks!
Received on Friday, 15 May 2015 10:58:21 UTC