Wan-Teh Chang wrote on 7/23/2009 9:29 PM:
> On Thu, Jul 23, 2009 at 7:10 PM, Bil Corry wrote:
>> Can someone explain the security concerns with DNS prefetching from a HTTPS
>> site?
>
> The concern is privacy. Prefetching DNS for host names referenced
> in an HTTPS page leaks some info containe
On Thu, Jul 23, 2009 at 7:10 PM, Bil Corry wrote:
>
> Can someone explain the security concerns with DNS prefetching from a HTTPS
> site?
The concern is privacy. Prefetching DNS for host names referenced
in an HTTPS page leaks some info contained in that page.
Wan-Teh
__
In [1], it's mentioned that:
"Furthermore, as a security measure, prefetching of embedded link hostnames is
not done from documents loaded over https. If you want to allow it in that
context too, just set the preference network.dns.disablePrefetchFromHTTPS to
true."
Can someone explain the sec
On 7/23/09 11:25 AM, Bil Corry wrote:
> Sid Stamm wrote on 7/23/2009 11:41 AM:
>> On 7/23/09 9:36 AM, Bil Corry wrote:
>>> And that section conflicts with what is said earlier in the document,
>>> specifically:
>>> "When multiple instances of the X-Content-SecurityPolicy HTTP header are
>>> pres
Sid Stamm wrote on 7/23/2009 11:41 AM:
> On 7/23/09 9:36 AM, Bil Corry wrote:
>> And that section conflicts with what is said earlier in the document,
>> specifically:
>> "When multiple instances of the X-Content-SecurityPolicy HTTP header are
>> present in an HTTP response, the intersection of
On 7/23/09 9:36 AM, Bil Corry wrote:
> Under "Policy Refinements with a Multiply-Specified Header" there is a
> misspelling of "X-Content-SecurityPolicy".
Fixed.
> And that section conflicts with what is said earlier in the document,
> specifically:
> "When multiple instances of the X-Content-Se
Daniel Veditz wrote on 7/23/2009 10:32 AM:
> Sid has updated the Content Security Policy spec to address some of the
> issues discussed here. https://wiki.mozilla.org/Security/CSP/Spec
Under "Policy Refinements with a Multiply-Specified Header" there is a
misspelling of "X-Content-SecurityPolicy
Sid has updated the Content Security Policy spec to address some of the
issues discussed here. https://wiki.mozilla.org/Security/CSP/Spec
You can see the issues we've been tracking and the resolutions at the
Talk page: https://wiki.mozilla.org/Talk:Security/CSP/Spec
There are still a few open iss