Sid : do you have feedback from developers that this data is absolutely necessary for debugging ? Could you elaborate with examples ?
I am in favor of not sending cookies/auth data right now. After deploying CSP, if we hear a lot of complaining that this data is absolutely necessary for debugging then we can add it. This, in the worst case, would mean that problems for some group of users would be hard to debug. The other way around - deploying with cookies/auth data and finding out that it opens a big hole would mean that some group of users would be vulnerable - which is not preferable. Regards Devdatta On 9 June 2010 09:24, Sid Stamm <[email protected]> wrote: > On 06/08/2010 05:04 PM, Devdatta wrote: >> Why not hash the auth with a salt and then send H(nonce,auth token) to >> the server? Thus the server if the auth token is really important can >> generate them if needed - but the attacker can't easily generate the >> auth token back from the data in report-uri. > > This could work for auth, but not for cookies since the value of the > cookies isn't predictable by the server. My impression is that the > cookies would be more useful in debugging what went wrong on a site than > the auth, so I'd be interested to see if there's something we can do there. > > Storing the report-uri in well-known might work (as Adam suggested), but > that splits the policy into two locations. > > Would a policy referenced via policy-uri be safe enough to not suppress > auth and cookie data? If so, maybe we could redact it when sending > reports for policies where report-uri is in the HTTP header, and not > when it's in an external policy file. > > -Sid > _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
