[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Content-Security-Policy

On Thu, 2011-05-19 at 16:39 +0100, tor@xxxxxxxxxxxxxxxxxx wrote:
> Hi,
> I don't know if this is something we should be concerned about, but I
> thought I'd bring it to your attention anyway.
> Firefox 4 implements Content-Security-Policy:
> https://wiki.mozilla.org/Security/CSP/Specification
> It allows website owners to send a HTTP response header containing a
> policy about what the page is allowed to do. Ie, is it allowed to fetch
> images from a different domain? Is it allowed to include inline
> javascript? etc...
> One of the features of Content-Security-Policy is that you can refer to
> a URI in the response header which is used for reporting violations. If
> the browser detects that the page is trying to violate one of its
> conditions (eg by linking to a remote image), it will then POST data
> about that violation to the report URI. The data that it POSTs is a blob
> of JSON. One of the things included in that JSON is the full set of
> request headers that the browser used when requesting the page that lead
> to the violation.
> It's my understanding that people use proxys like Privoxy to sanitise
> and strip HTTP headers. Using this Content-Security-Policy reporting
> method could allow a website owner to cause the users browser to package
> up the headers in a nice blob of JSON, and then POST them back to the
> server, bypassing any header sanitising.
> You can put Content-Security-Policy in "report only" mode, so it would
> be completely transparent to the end user.
> Worth addressing?

While people do use proxies to sanitize HTTP headers, they shouldn't.
These kind of proxies provide no real protection, as HTTPS requests
bypass them, and most of that information is available via JavaScript

Attachment: signature.asc
Description: This is a digitally signed message part

tor-talk mailing list