Re: CSP 401 Issue from Mike West on 2015-09-09 (public-webappsec@w3.org from September 2015)

From: Mike West <mkwst@google.com>
Date: Wed, 9 Sep 2015 12:35:32 +0200
To: Anne van Kesteren <annevk@annevk.nl>, Thomas Sepez <tsepez@google.com>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Kepeng Li <kepeng.lkp@alibaba-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=cydjKGd0xxJ-OpDXqwbaiz4+S=0_cjpyg4vtqMk1b2jg@mail.gmail.com>

As I recall, we've tried to do this a few times in Chrome. We've had both
compatibility issues as well as security issues. Naively suppressing the
dialog makes it possible to brute-force username/password combinations (as
the user's never notified, and failures are distinguishable from successes
via any number of side-channels (nativeWidth, etc)).

+Tom, who knows more about the details than I do.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Wed, Sep 9, 2015 at 10:02 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Sep 9, 2015 at 2:23 AM, Tanvi Vyas <tanvi@mozilla.com> wrote:
> > Are you sure Chrome blocks these requests?  I believe they only block the
> > prompt from image subresources.
>
> I just went with what Kepeng was saying, but according to
> https://dump.testsuite.org/xhr/auth/img-auth.html Chrome does not even
> block those. Chrome does seem to block them for a 401 from
> importScripts() inside a worker, whereas Firefox will still prompt.
>
> So if this behavior is indeed needed for compatibility, perhaps we
> should consider a CSP policy of sorts that forbids spawning dialogs
> from such resources.
>
>
> --
> https://annevankesteren.nl/
>
>

Received on Wednesday, 9 September 2015 10:36:21 UTC