On Tue, Aug 06, 2013 at 01:32:00PM -0400, Eric Covener wrote: > Another option in this neighborhood is small/varying deflate blocks. > But that probably limits the usefulness of deflate to the same extent > that it helps. The idea is to make it less likely that the user input > and secret get compressed together.
It would be interesting to see how feasible “barriers” in mod_deflate would be. E.g., if my application outputs <input type="hidden" name="csrftoken" DEFLATE_BARRIER_START value="1234" DEFLATE_BARRIER_END> maybe mod_deflate could be taught not to compress the parts in-between. It's all rather speculative, though, and it only works when you know exactly what you protect (there might be other sensitive data than the CSRF tokens) or where the dangerous data comes from (easy to miss, for the same reasons that XSS is easy to miss). /* Steinar */ -- Homepage: http://www.sesse.net/
