From 5233fe8e75fd5b155135c6eca35fb48e685c14e5 Mon Sep 17 00:00:00 2001
From: Mike West <mike@mikewest.org>
Date: Wed, 12 Aug 2015 08:22:33 +0200
Subject: [PATCH] CSP2: Note the issue the 'CSP' header was meant to solve.

---
 specs/CSP2/index.html                | 20 +++++++++++++++++---
 specs/CSP2/index.src.html            | 14 +++++++++++++-
 specs/CSP2/published/2015-08-PR.html | 18 ++++++++++++++++--
 3 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/specs/CSP2/index.html b/specs/CSP2/index.html
index 80d8295c..ebfdecdc 100644
--- a/specs/CSP2/index.html
+++ b/specs/CSP2/index.html
@@ -111,7 +111,7 @@
    <h1 class="p-name no-ref" id="title">Content Security Policy Level 2</h1>
   
    <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft,
-    <time class="dt-updated" datetime="2015-08-11">11 August 2015</time></span></h2>
+    <time class="dt-updated" datetime="2015-08-12">12 August 2015</time></span></h2>
   
    <div data-fill-with="spec-metadata">
     <dl>
@@ -346,7 +346,7 @@ <h2 class="no-num no-toc no-ref heading settled" id="contents"><span class="cont
     <li><a href="#security-considerations"><span class="secno">9</span> <span class="content">Security Considerations</span></a>
      <ul class="toc">
       <li><a href="#security-css-parsing"><span class="secno">9.1</span> <span class="content">Cascading Style Sheet (CSS) Parsing</span></a>
-      <li><a href="#security-violation-reports"><span class="secno">9.2</span> <span class="content">Violation Reports</span></a>
+      <li><a href="#security-redirects"><span class="secno">9.2</span> <span class="content">Redirect Information Leakage</span></a>
      </ul>
     <li><a href="#implementation-considerations"><span class="secno">10</span> <span class="content">Implementation Considerations</span></a>
      <ul class="toc">
@@ -4963,7 +4963,7 @@ <h3 class="heading settled" data-level="9.1" id="security-css-parsing"><span cla
   
     <section>
     
-     <h3 class="heading settled" data-level="9.2" id="security-violation-reports"><span class="secno">9.2. </span><span class="content">Violation Reports</span><a class="self-link" href="#security-violation-reports"></a></h3>
+     <h3 class="heading settled" data-level="9.2" id="security-redirects"><span class="secno">9.2. </span><span class="content">Redirect Information Leakage</span><a class="self-link" href="#security-redirects"></a></h3>
      
 
 
@@ -4980,6 +4980,20 @@ <h3 class="heading settled" data-level="9.2" id="security-violation-reports"><sp
     such as session identifiers or purported identities. For this reason, the
     user agent includes only the origin of the blocked URL.</p>
      
+
+
+     <p>The mitigations are not complete, however: redirects which are blocked will
+    produce side-effects which may be visible to JavaScript (via
+    <code>img.naturalHeight</code>, for instance). An earlier version of this
+    specification defined a
+    <a href="http://www.w3.org/TR/2015/CR-CSP2-20150721/#csp-request-header"><code>CSP</code>
+    request header</a> which servers could use (in conjunction with the
+    <code>referer</code> and <code>origin</code> headers) to determine whether
+    or not it was completely safe to redirect a user. This header caused some
+    issues with CORS processing (tracked in
+    <a href="https://github.com/whatwg/fetch/issues/52">whatwg/fetch#52</a>),
+    and has been punted to the next version of this document.</p>
+     
   
     </section>
 </section>
diff --git a/specs/CSP2/index.src.html b/specs/CSP2/index.src.html
index 3f6f903c..7388ad7c 100644
--- a/specs/CSP2/index.src.html
+++ b/specs/CSP2/index.src.html
@@ -3403,7 +3403,7 @@ <h3 id="security-css-parsing">Cascading Style Sheet (CSS) Parsing</h3>
   </section>
 
   <section>
-    <h3 id="security-violation-reports">Violation Reports</h3>
+    <h3 id="security-redirects">Redirect Information Leakage</h3>
 
     The violation reporting mechanism in this document has been
     designed to mitigate the risk that a malicious web site could use
@@ -3417,6 +3417,18 @@ <h3 id="security-violation-reports">Violation Reports</h3>
     report might contain sensitive information contained in the redirected URL,
     such as session identifiers or purported identities. For this reason, the
     user agent includes only the origin of the blocked URL.
+
+    The mitigations are not complete, however: redirects which are blocked will
+    produce side-effects which may be visible to JavaScript (via
+    <code>img.naturalHeight</code>, for instance). An earlier version of this
+    specification defined a
+    <a href="http://www.w3.org/TR/2015/CR-CSP2-20150721/#csp-request-header"><code>CSP</code>
+    request header</a> which servers could use (in conjunction with the
+    <code>referer</code> and <code>origin</code> headers) to determine whether
+    or not it was completely safe to redirect a user. This header caused some
+    issues with CORS processing (tracked in
+    <a href="https://github.com/whatwg/fetch/issues/52">whatwg/fetch#52</a>),
+    and has been punted to the next version of this document.
   </section>
 </section>
 
diff --git a/specs/CSP2/published/2015-08-PR.html b/specs/CSP2/published/2015-08-PR.html
index f266c463..ed3ec8e9 100644
--- a/specs/CSP2/published/2015-08-PR.html
+++ b/specs/CSP2/published/2015-08-PR.html
@@ -307,7 +307,7 @@ <h2 class="no-num no-toc no-ref heading settled" id="contents"><span class="cont
     <li><a href="#security-considerations"><span class="secno">9</span> <span class="content">Security Considerations</span></a>
      <ul class="toc">
       <li><a href="#security-css-parsing"><span class="secno">9.1</span> <span class="content">Cascading Style Sheet (CSS) Parsing</span></a>
-      <li><a href="#security-violation-reports"><span class="secno">9.2</span> <span class="content">Violation Reports</span></a>
+      <li><a href="#security-redirects"><span class="secno">9.2</span> <span class="content">Redirect Information Leakage</span></a>
      </ul>
     <li><a href="#implementation-considerations"><span class="secno">10</span> <span class="content">Implementation Considerations</span></a>
      <ul class="toc">
@@ -4924,7 +4924,7 @@ <h3 class="heading settled" data-level="9.1" id="security-css-parsing"><span cla
   
     <section>
     
-     <h3 class="heading settled" data-level="9.2" id="security-violation-reports"><span class="secno">9.2. </span><span class="content">Violation Reports</span><a class="self-link" href="#security-violation-reports"></a></h3>
+     <h3 class="heading settled" data-level="9.2" id="security-redirects"><span class="secno">9.2. </span><span class="content">Redirect Information Leakage</span><a class="self-link" href="#security-redirects"></a></h3>
      
 
 
@@ -4941,6 +4941,20 @@ <h3 class="heading settled" data-level="9.2" id="security-violation-reports"><sp
     such as session identifiers or purported identities. For this reason, the
     user agent includes only the origin of the blocked URL.</p>
      
+
+
+     <p>The mitigations are not complete, however: redirects which are blocked will
+    produce side-effects which may be visible to JavaScript (via
+    <code>img.naturalHeight</code>, for instance). An earlier version of this
+    specification defined a
+    <a href="http://www.w3.org/TR/2015/CR-CSP2-20150721/#csp-request-header"><code>CSP</code>
+    request header</a> which servers could use (in conjunction with the
+    <code>referer</code> and <code>origin</code> headers) to determine whether
+    or not it was completely safe to redirect a user. This header caused some
+    issues with CORS processing (tracked in
+    <a href="https://github.com/whatwg/fetch/issues/52">whatwg/fetch#52</a>),
+    and has been punted to the next version of this document.</p>
+     
   
     </section>
 </section>