W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

[CSP3] Question on the use case of the CSP request header

From: 寒蕊 <hanrui.gao@gmail.com>
Date: Fri, 15 May 2015 18:57:36 +0800
Message-ID: <CADX+jqw-P2jAUmWzgMZK=TLxX9Eze1sYdnYBthb-nM7QPSO0eA@mail.gmail.com>
To: public-webappsec@w3.org
Hey guys,
I am really confused by the use case that listed in the CSP3 doc[
https://w3c.github.io/webappsec/specs/content-security-policy/#csp-request-header
].

Let me cite the use case here:

Note: The central reason for including this header is that it hints to a
server that information about redirects might be leaked as a side-effect of
a page’s active policy. If this header is present, a server might decline
to redirect a logged-out user from example.com toaccounts.example.com, for
example, as a malicious embedder might otherwise be able to determine the
user’s logged-in status.

I could not understand that if the embedder is malicious, why would it
contain such an CSP header? I think if the embedder wants to get some
important information (like log-in status) of another site, it can just
drop the CSP header of itself, so that the browser would not send any
resource request with the CSP request header.

Any comments?

Thanks!
Received on Friday, 15 May 2015 10:58:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC