Re: Capability URLs & Referer headers

On Wed, Feb 5, 2014 at 6:16 PM, Jeni Tennison <jeni@jenitennison.com> wrote:
> Am I reading that correctly? Is that a correct interpretation of what browsers do by default?

Testing using the developer tools from Chrome and Firefox following
the link in https://bugzilla.mozilla.org/show_bug.cgi?id=968065#c17
the full Bugzilla URL is indeed "leaked" to Google Code. That site
meanwhile requests several resources across the origin boundary and
also leaks its full URL.

I see where you are going with this and indeed, if you have any
cross-origin URL within your capability URL you will be leaking your
secret all over.


-- 
http://annevankesteren.nl/

Received on Thursday, 6 February 2014 17:29:17 UTC