On 2009-06-23, Bil Corry <[email protected]> wrote: > Serge van den Boom wrote on 6/23/2009 8:13 AM: >> However, by injecting an X-Content-Security-Policy header with the >> policy-uri set to the vulnerable URL, the web client can be tricked into >> visiting the vulnerable URL. > > It would only work for those pages where a X-Content-Security-Policy > header has not already been set -- additional > X-Content-Security-Policy headers are ignored.
The injected header could be the first one though, with the genuine header being ignored. > But beyond that, the proposed "Link" header would provide the same > attack surface, and can not be restricted to a known URI: I was not familiar with that proposal, but skimming through it, it appears that these links are not resolved automatically, making this header less interesting for attackers. The same goes for the standard "Content-Location" header. Serge _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
