| CARVIEW |
Select Language
HTTP/2 200
date: Sat, 02 Aug 2025 14:01:48 GMT
content-type: text/html
last-modified: Thu, 13 Jul 2023 17:04:23 GMT
cache-control: max-age=2592000, public
expires: Sun, 31 Aug 2025 14:29:35 GMT
vary: Accept-Encoding
access-control-allow-origin: *
x-request-id: 9686074bcdbd3a63
strict-transport-security: max-age=15552015; preload
x-frame-options: deny
x-xss-protection: 1; mode=block
cf-cache-status: HIT
set-cookie: __cf_bm=4ky59mLIUBcAQIxF6.kf_wMpX8UgBhbq9YWs7.PnZLQ-1754143308-1.0.1.1-MTihehmKdPKGiKkUYA_RMz3Wb7pFBcIHB5.vhr0pnO5ZOhXwQmKFnQ_5yII8U73S5gd2Faag626iR4KZSSU1IG.JbyS1ZTeIVzF0Se7HYCY; path=/; expires=Sat, 02-Aug-25 14:31:48 GMT; domain=.w3.org; HttpOnly; Secure; SameSite=None
server: cloudflare
cf-ray: 968e1bfadd250bc9-BLR
content-encoding: gzip
alt-svc: h3=":443"; ma=86400
Remove paths from CSP? from Mike West on 2014-02-12 (public-webappsec@w3.org from February 2014)
Remove paths from CSP?
- From: Mike West <mkwst@google.com>
- Date: Wed, 12 Feb 2014 09:28:10 +0100
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Cc: Odin Hørthe Omdal <odinho@opera.com>, Adam Barth <w3c@adambarth.com>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <bhill@paypal-inc.com>, Michal Zalewski <lcamtuf@google.com>, Garrett Robinson <grobinson@mozilla.com>
- Message-ID: <CAKXHy=fOWvN0RpvZfBcFVXt+kvex3wOx6iXfA5PdmD7S5Z6pLA@mail.gmail.com>
CSP 1.1 allows authors to add path information to source expressions. It's
implemented in both Firefox and Chrome. Generally, it seems like a
reasonable thing to want to limit script to 'mycdn.com/js', as it limits
exposure. I argued for this feature back in 2012, and implemented it in
Chrome. I think I was wrong to do so.
Exposing path information makes it fairly easy to leak data
cross-origin. I noted this in May last year[1], but [2] and [3] shows that
it's far more practical than I thought at the time.
Are paths valuable enough to live with this leakage vector? I don't think
they are.
I'd suggest dropping paths from 1.1 now, before LC, and removing them from
both Chrome and Firefox's implementation. We might be able to keep paths
for some directives ('form-action' for instance, which might mitigate some
of the concerns in Michal's Postcards), but I'm not sure that complexity is
worthwhile.
CCing some folks from previous discussions. WDYT?
[1]: https://lists.w3.org/Archives/Public/public-webappsec/2013May/0022.html
[2]: https://code.google.com/p/chromium/issues/detail?id=313737
[3]:
https://homakov.blogspot.de/2014/01/using-content-security-policy-for-evil.html
--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 12 February 2014 08:29:02 UTC