On 06/04/09 18:12, Sid Stamm wrote:
Personally, I don't like the idea of honoring redirects for logging... if a meta tag can be injected into a page (with a CSP header or not) and the site hosts an open redirect, suddenly cookies can be stolen from all visitors to a site.
Surely not? If Site Angelic redirects to Site Be-Evil, We don't send Angelic's cookies to Be-Evil, do we? Or have I missed something? You may need to describe the attack scenario in more detail for my small brain.
While it's true that this would be easy to implement, I think we need to set a limit. We don't want to spawn off 100 requests every time a policy is violated. If that happens, attackers could leverage the reporting mechanism in CSP to flood a network with traffic.
But are there not easier ways of doing this - injecting <img> tags for 100 images on the target server, for example? Given that the reports are so small, I can't see how anyone would want to use it as a DOS mechanism.
We should set a limit. I'm just wondering whether "2" is the most convenient limit.
I'm not convinced that widespread use will demand more than two report URIs, and it's not difficult to set up that report URI recipient service to fork copies to multiple other destinations.
True. It's not a big deal.
I think the intention for requiring the allow directive was to force the policy-writer into writing out the default case to minimize possibility for false assumptions. I'm not sure though.
Fair enough. As long as the JS console/error report says something sensible if it's missing.
Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
