Hi, I don't know if this is something we should be concerned about, but I thought I'd bring it to your attention anyway. Firefox 4 implements Content-Security-Policy: https://wiki.mozilla.org/Security/CSP/Specification It allows website owners to send a HTTP response header containing a policy about what the page is allowed to do. Ie, is it allowed to fetch images from a different domain? Is it allowed to include inline javascript? etc... One of the features of Content-Security-Policy is that you can refer to a URI in the response header which is used for reporting violations. If the browser detects that the page is trying to violate one of its conditions (eg by linking to a remote image), it will then POST data about that violation to the report URI. The data that it POSTs is a blob of JSON. One of the things included in that JSON is the full set of request headers that the browser used when requesting the page that lead to the violation. It's my understanding that people use proxys like Privoxy to sanitise and strip HTTP headers. Using this Content-Security-Policy reporting method could allow a website owner to cause the users browser to package up the headers in a nice blob of JSON, and then POST them back to the server, bypassing any header sanitising. You can put Content-Security-Policy in "report only" mode, so it would be completely transparent to the end user. Worth addressing? -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk