[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Content-Security-Policy


I don't know if this is something we should be concerned about, but I
thought I'd bring it to your attention anyway.

Firefox 4 implements Content-Security-Policy:

It allows website owners to send a HTTP response header containing a
policy about what the page is allowed to do. Ie, is it allowed to fetch
images from a different domain? Is it allowed to include inline
javascript? etc...

One of the features of Content-Security-Policy is that you can refer to
a URI in the response header which is used for reporting violations. If
the browser detects that the page is trying to violate one of its
conditions (eg by linking to a remote image), it will then POST data
about that violation to the report URI. The data that it POSTs is a blob
of JSON. One of the things included in that JSON is the full set of
request headers that the browser used when requesting the page that lead
to the violation.

It's my understanding that people use proxys like Privoxy to sanitise
and strip HTTP headers. Using this Content-Security-Policy reporting
method could allow a website owner to cause the users browser to package
up the headers in a nice blob of JSON, and then POST them back to the
server, bypassing any header sanitising.

You can put Content-Security-Policy in "report only" mode, so it would
be completely transparent to the end user.

Worth addressing?

Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

Attachment: signature.asc
Description: OpenPGP digital signature

tor-talk mailing list