W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2017

Re: Reports feature violates the same-origin policy

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 16 Feb 2017 07:25:35 +0100
Message-ID: <CADnb78jOM_bx8VijUWsJhQmNs_s5-WREp++frw5wVwSjjVhXjQ@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Feb 15, 2017 at 9:09 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> I was being somewhat snarky; I'm not actually proposing we change the
> reporting content-type. CSP's report-uri uses a Content-Type of
> application/csp-report. If a hypothetical JSON-consuming server is checking
> Content-Type they should already be fine. If they aren't then a malicious
> web site's ability to hit the server with text/plain JSON payloads would
> pose similar risk. I wouldn't want to generically whitelist
> application/csp-report if that means arbitrary xhr/fetch could also use
> those. At least with a real CSP report there are restrictions on the
> possible data that's sent that are unlikely to match some other service's
> JSON format.

Yes, I mentioned that problem with adding it to the safelist.

And I agree that the problem is fairly limited, especially as the JSON
attack doesn't hold up due to no usage of a +json MIME type scheme,
but it's still unclear where we draw the line. The same-origin policy
is a boundary and every now and then we cross it in a rather
unprincipled manner. And furthermore, we reserve that right only for
ourselves, web developers have to pay a higher price.


> In CSP 3 report-uri is deprecated in favor of report-to. Report-to uses the
> reporting service spec which defines a content-type of application/report,
> and also that the request mode is "cors". Isn't that basically what you
> want? Can we leave the report-uri behavior alone as a historical artifact of
> 2011 spec making?

That would end up requiring a CORS preflight. I doubt that's going to
be compatible enough? How does deployment of that even work, we'll
just break existing reporting services?


-- 
https://annevankesteren.nl/
Received on Thursday, 16 February 2017 06:26:05 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC