I put together a brief description of the history module proposal on the wiki:
https://wiki.mozilla.org/Security/CSP/HistoryModule On Tue, Oct 20, 2009 at 10:03 AM, Collin Jackson <mozi...@collinjackson.com> wrote: > If you want to make a module that prevents history sniffing completely > against specific sites and avoids assuming the user never interacts > with a bad site, you could have a CSP module that allows a server to > specify whether its history entries can be treated as visited by other > origins. Sites concerned about user privacy would then have control > over whether other sites could detect that they've been visited. A > similar module could be used for cross-origin cache loads to address > timing attacks. > > On Tue, Oct 20, 2009 at 6:26 AM, Johnathan Nightingale > <john...@mozilla.com> wrote: >> On 19-Oct-09, at 5:39 PM, Adam Barth wrote: >>> >>> On Mon, Oct 19, 2009 at 6:43 AM, Johnathan Nightingale >>> <john...@mozilla.com> wrote: >>>> >>>> Not as limited as you might like. Remember that even apparently >>>> non-dangerous constructs (e.g. background-image, the :visited pseudo >>>> class) >>>> can give people power to do surprising things (e.g. internal network ping >>>> sweeping, user history enumeration respectively). >>> >>> I'm not arguing for or against providing the ability to >>> block-inline-css, but keep in mind that an attacker can do all those >>> things as soon as you visit attacker.com. >> >> Yeah, I think you're absolutely right that CSP is primarily about preventing >> attackers from exploiting your browser's trust relationship with victim.com, >> and the examples I offered are (for lack of a better term), victim-agnostic. >> They don't steal victim.com credentials or cause unwanted changes to, or >> transactions with, your victim.com presence. >> >> I do think, though, that a helpful secondary effect of CSP is that it >> reduces attackers' ability to amplify the effect of their attacks. You're >> right that it doesn't take much to get users to click on a link, but I think >> it is nevertheless the case that a good history enumerator or ping sweep >> which happens in the background while you're reading a NYTimes article will >> have a substantially higher success rate than a link in the comment section >> that says "Click here for free goodies." Basically by definition, >> link-clickers are a subset of your total prospective victim pool. >> >> I think this is more specifically what makes me feel like there's still >> value to locking down all inline styling, or at least providing that >> facility, but I appreciate you forcing me to refine my thinking a little >> more. >> >>> In the past, I've found it helpful to simply assume the >>> user is always visiting attacker.com in some background tab. After >>> all, Firefox is supposed to let you view untrusted web sites securely. >> >> Yes, absolutely so. We should continue to try to bend smarts towards fixing >> :visited and other nasty sleights-of-hand. But the one course of work >> doesn't preclude the other (and I don't think you were saying that it did). >> >> Johnathan >> >> --- >> Johnathan Nightingale >> Human Shield >> john...@mozilla.com >> >> >> >> _______________________________________________ >> dev-security mailing list >> dev-security@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security >> > _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
