On 4/7/09 4:01 AM, Gervase Markham wrote:
Surely not? If Site Angelic redirects to Site Be-Evil, We don't send
Angelic's cookies to Be-Evil, do we? Or have I missed something? You may
need to describe the attack scenario in more detail for my small brain.
Since the user's entire request header is in the report, any cookies
sent with the request header to Angelic get forwarded on. While Be-Evil
doesn't actually get forwarded cookies, the cookies are buried in the
content of the report that is forwarded under the <request-headers> field.
I think the intention for requiring the allow directive was to force the
policy-writer into writing out the default case to minimize possibility
for false assumptions. I'm not sure though.
Fair enough. As long as the JS console/error report says something
sensible if it's missing.
Of course. Any forgivable but bad policy syntax is going to be spat
into the error console. Terminal ("can't parse") errors will cause CSP
to fail closed ("allow self") and still raise an error.
-Sid
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
