On 4/6/09 3:56 AM, Gervase Markham wrote:
- When might we see the "Refinements" section with the JS/eval changes?
Or is that the other document?
The content is in the other document, but most likely we'll be moving
that to the wiki too (I've linked to the description doc in the mean time).
- What happens if a Report-URI encounters a redirect? We should say
specifically in the spec what we do, and I think we should honour it.
This would allow us to do "all reports must be sent to the same host
that served the protected content" while still allowing people to set it
up so that the logging server was a separate machine.
Personally, I don't like the idea of honoring redirects for logging...
if a meta tag can be injected into a page (with a CSP header or not) and
the site hosts an open redirect, suddenly cookies can be stolen from all
visitors to a site.
- Would it not be more flexible, with negligible change in
implementation complexity, to make report-uri multi-valued? We have to
support multiple values anyway.
While it's true that this would be easy to implement, I think we need to
set a limit. We don't want to spawn off 100 requests every time a
policy is violated. If that happens, attackers could leverage the
reporting mechanism in CSP to flood a network with traffic. I'm not
convinced that widespread use will demand more than two report URIs, and
it's not difficult to set up that report URI recipient service to fork
copies to multiple other destinations.
- "but a declared (unexpanded) policy always has the "allow" directive."
I think you need to make it more clear that "allow" is mandatory. But
what was the logic behind making it so? Why not assume "allow *", which
is what browsers do in the absence of CSP anyway?
I think the intention for requiring the allow directive was to force the
policy-writer into writing out the default case to minimize possibility
for false assumptions. I'm not sure though.
- The formal syntax uses "<host-expr-list>" but it's undefined in that
formal section. Is that intentional?
Nope... that's a mistake, should be "<source-list>".
- Should there be a space or other separator in the middle of
"<allow-directive><directive-list>"?
Indeed. ";"
- The Violation Report Sample has:
"<blocked-uri>some_image.png</blocked-uri>". Given that the directive
blocked was a "self" directive, I would expect some_image.png to be on
another host, and therefore for a full URI to be provided. (This is
vital for trying to find out who is behind the content injection.) What
have I missed?
You're right, a full URI would be appropriate there. The wiki was
actually parsing out the http://evil.com/ part from both references to
"some_image.png" and omitting it... weird.
Thanks for the comments!
-Sid
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
