Content Security Policy updates
Sid has updated the Content Security Policy spec to address some of the issues discussed here. https://wiki.mozilla.org/Security/CSP/Spec You can see the issues we've been tracking and the resolutions at the Talk page: https://wiki.mozilla.org/Talk:Security/CSP/Spec There are still a few open issues. ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Content Security Policy updates
Daniel Veditz wrote on 7/23/2009 10:32 AM: Sid has updated the Content Security Policy spec to address some of the issues discussed here. https://wiki.mozilla.org/Security/CSP/Spec Under Policy Refinements with a Multiply-Specified Header there is a misspelling of X-Content-SecurityPolicy. And that section conflicts with what is said earlier in the document, specifically: When multiple instances of the X-Content-SecurityPolicy HTTP header are present in an HTTP response, the intersection of the policies is enforced vs. If multiple X-Content-Security-Policy headers are present in the HTTP response, then the first one encountered is used and the rest are discarded. and Only the first X-Content-Security-Policy Response header received by the user agent will be considered; any additional X-Content-Security-Policy HTTP Response headers in the same response will be ignored. - Bil ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Content Security Policy updates
On 7/23/09 9:36 AM, Bil Corry wrote: Under Policy Refinements with a Multiply-Specified Header there is a misspelling of X-Content-SecurityPolicy. Fixed. And that section conflicts with what is said earlier in the document, specifically: When multiple instances of the X-Content-SecurityPolicy HTTP header are present in an HTTP response, the intersection of the policies is enforced vs. If multiple X-Content-Security-Policy headers are present in the HTTP response, then the first one encountered is used and the rest are discarded. and Only the first X-Content-Security-Policy Response header received by the user agent will be considered; any additional X-Content-Security-Policy HTTP Response headers in the same response will be ignored. Fixed. Multiple header instances cause the policies to be intersected. This is more-or-less a replacement for meta tag support, which has been dropped. Thanks Bil! -Sid ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Content Security Policy updates
Sid Stamm wrote on 7/23/2009 11:41 AM: On 7/23/09 9:36 AM, Bil Corry wrote: And that section conflicts with what is said earlier in the document, specifically: When multiple instances of the X-Content-SecurityPolicy HTTP header are present in an HTTP response, the intersection of the policies is enforced vs. If multiple X-Content-Security-Policy headers are present in the HTTP response, then the first one encountered is used and the rest are discarded. and Only the first X-Content-Security-Policy Response header received by the user agent will be considered; any additional X-Content-Security-Policy HTTP Response headers in the same response will be ignored. Fixed. Multiple header instances cause the policies to be intersected. This is more-or-less a replacement for meta tag support, which has been dropped. There's still one sentence about it lingering under Activation and Enforcement that needs to be removed. I think the section labeled Policy Refinements with a Multiply-Specified Header would be more clear if renamed to Policy Intersection with Multiple Headers or something similar. - Bil ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Content Security Policy updates
On 7/23/09 11:25 AM, Bil Corry wrote: Sid Stamm wrote on 7/23/2009 11:41 AM: On 7/23/09 9:36 AM, Bil Corry wrote: And that section conflicts with what is said earlier in the document, specifically: When multiple instances of the X-Content-SecurityPolicy HTTP header are present in an HTTP response, the intersection of the policies is enforced vs. If multiple X-Content-Security-Policy headers are present in the HTTP response, then the first one encountered is used and the rest are discarded. and Only the first X-Content-Security-Policy Response header received by the user agent will be considered; any additional X-Content-Security-Policy HTTP Response headers in the same response will be ignored. Fixed. Multiple header instances cause the policies to be intersected. This is more-or-less a replacement for meta tag support, which has been dropped. There's still one sentence about it lingering under Activation and Enforcement that needs to be removed. Thanks for catching this. Fixed. I think the section labeled Policy Refinements with a Multiply-Specified Header would be more clear if renamed to Policy Intersection with Multiple Headers or something similar. Good call. Done. It's difficult to capture policy refinements when the X-Content-Security-Policy header appears many times into a small section header. -Sid ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
dns-prefetch
In [1], it's mentioned that: Furthermore, as a security measure, prefetching of embedded link hostnames is not done from documents loaded over https. If you want to allow it in that context too, just set the preference network.dns.disablePrefetchFromHTTPS to true. Can someone explain the security concerns with DNS prefetching from a HTTPS site? - Bil [1] http://bitsup.blogspot.com/2008/11/dns-prefetching-for-firefox.html ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: dns-prefetch
On Thu, Jul 23, 2009 at 7:10 PM, Bil Corryb...@corry.biz wrote: Can someone explain the security concerns with DNS prefetching from a HTTPS site? The concern is privacy. Prefetching DNS for host names referenced in an HTTPS page leaks some info contained in that page. Wan-Teh ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: dns-prefetch
Wan-Teh Chang wrote on 7/23/2009 9:29 PM: On Thu, Jul 23, 2009 at 7:10 PM, Bil Corryb...@corry.biz wrote: Can someone explain the security concerns with DNS prefetching from a HTTPS site? The concern is privacy. Prefetching DNS for host names referenced in an HTTPS page leaks some info contained in that page. Thanks for the response. Who is the data being leaked to? The DNS provider? The advisory sniffing packets off a public hotspot? And what information is being leaked? The hostname(s) that are referenced on the HTTPS page? I'm just trying to understand the complete risk involved. - Bil ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security