The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 |
Newsgroups: mozilla.dev.security
From: Sid Stamm <s...@mozilla.com>
Date: Tue, 07 Apr 2009 08:28:03 -0700
Local: Tues, Apr 7 2009 11:28 am
Subject: Re: Content Security Policy - final call for comments
On 4/7/09 4:01 AM, Gervase Markham wrote:
> Surely not? If Site Angelic redirects to Site Be-Evil, We don't send Since the user's entire request header is in the report, any cookies > Angelic's cookies to Be-Evil, do we? Or have I missed something? You may > need to describe the attack scenario in more detail for my small brain. sent with the request header to Angelic get forwarded on. While Be-Evil doesn't actually get forwarded cookies, the cookies are buried in the content of the report that is forwarded under the <request-headers> field. >> I think the intention for requiring the allow directive was to force the Of course. Any forgivable but bad policy syntax is going to be spat >> policy-writer into writing out the default case to minimize possibility >> for false assumptions. I'm not sure though. > Fair enough. As long as the JS console/error report says something into the error console. Terminal ("can't parse") errors will cause CSP to fail closed ("allow self") and still raise an error. -Sid You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||