I have been trying to figure out what restriction browsers enforce for
cross origin data access. I would like to find the answer to the
following question:
My web application displays some sensitive information to a logged in
user. The user visits another site without explicitly logging out of my
site first. How do I ensure that the other site can not access the
sensitive information without accept from me or the user?
One example is that if my sensitive information is in an image, another
site can embed that image, and it can read the dimensions of it, but it
cannot read its pixel data.
I know of other examples, but I don’t like to build my own blacklist. Is
there some documentation somewhere that describes when my data is safe?
Related things: XSS is unrelated to my question. CORS allows me to do
the opposite of what I want. CSP restricts how my code can access any
data, whereas I want to restrict how any code can access my data. CSRF
is about performing actions, not about reading data, but the CSRF token
is sensitive data, so I need to ensure that other sites can not read the
token.
Also, if you know of a better forum to ask this, please tell.
-
Jesper Kristensen
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
