CSP2: Note the issue the 'CSP' header was meant to solve.

w3c · Aug 12, 2015 · 5233fe8 · 5233fe8
1 parent 245c10b
commit 5233fe8
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 6 deletions.
diff --git a/specs/CSP2/index.html b/specs/CSP2/index.html
@@ -111,7 +111,7 @@
    <h1 class="p-name no-ref" id="title">Content Security Policy Level 2</h1>
 
    <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft,
-    <time class="dt-updated" datetime="2015-08-11">11 August 2015</time></span></h2>
+    <time class="dt-updated" datetime="2015-08-12">12 August 2015</time></span></h2>
 
    <div data-fill-with="spec-metadata">
     <dl>
@@ -346,7 +346,7 @@ <h2 class="no-num no-toc no-ref heading settled" id="contents"><span class="cont
     <li><a href="#security-considerations"><span class="secno">9</span> <span class="content">Security Considerations</span></a>
      <ul class="toc">
       <li><a href="#security-css-parsing"><span class="secno">9.1</span> <span class="content">Cascading Style Sheet (CSS) Parsing</span></a>
-      <li><a href="#security-violation-reports"><span class="secno">9.2</span> <span class="content">Violation Reports</span></a>
+      <li><a href="#security-redirects"><span class="secno">9.2</span> <span class="content">Redirect Information Leakage</span></a>
      </ul>
     <li><a href="#implementation-considerations"><span class="secno">10</span> <span class="content">Implementation Considerations</span></a>
      <ul class="toc">
@@ -4963,7 +4963,7 @@ <h3 class="heading settled" data-level="9.1" id="security-css-parsing"><span cla
 
     <section>
 
-     <h3 class="heading settled" data-level="9.2" id="security-violation-reports"><span class="secno">9.2. </span><span class="content">Violation Reports</span><a class="self-link" href="#security-violation-reports"></a></h3>
+     <h3 class="heading settled" data-level="9.2" id="security-redirects"><span class="secno">9.2. </span><span class="content">Redirect Information Leakage</span><a class="self-link" href="#security-redirects"></a></h3>
 
 
 
@@ -4980,6 +4980,20 @@ <h3 class="heading settled" data-level="9.2" id="security-violation-reports"><sp
     such as session identifiers or purported identities. For this reason, the
     user agent includes only the origin of the blocked URL.</p>
 
+
+
+     <p>The mitigations are not complete, however: redirects which are blocked will
+    produce side-effects which may be visible to JavaScript (via
+    <code>img.naturalHeight</code>, for instance). An earlier version of this
+    specification defined a
+    <a href="http://www.w3.org/TR/2015/CR-CSP2-20150721/#csp-request-header"><code>CSP</code>
+    request header</a> which servers could use (in conjunction with the
+    <code>referer</code> and <code>origin</code> headers) to determine whether
+    or not it was completely safe to redirect a user. This header caused some
+    issues with CORS processing (tracked in
+    <a href="https://github.com/whatwg/fetch/issues/52">whatwg/fetch#52</a>),
+    and has been punted to the next version of this document.</p>
+
 
     </section>
 </section>

diff --git a/specs/CSP2/index.src.html b/specs/CSP2/index.src.html
@@ -3403,7 +3403,7 @@ <h3 id="security-css-parsing">Cascading Style Sheet (CSS) Parsing</h3>
   </section>
 
   <section>
-    <h3 id="security-violation-reports">Violation Reports</h3>
+    <h3 id="security-redirects">Redirect Information Leakage</h3>
 
     The violation reporting mechanism in this document has been
     designed to mitigate the risk that a malicious web site could use
@@ -3417,6 +3417,18 @@ <h3 id="security-violation-reports">Violation Reports</h3>
     report might contain sensitive information contained in the redirected URL,
     such as session identifiers or purported identities. For this reason, the
     user agent includes only the origin of the blocked URL.
+
+    The mitigations are not complete, however: redirects which are blocked will
+    produce side-effects which may be visible to JavaScript (via
+    <code>img.naturalHeight</code>, for instance). An earlier version of this
+    specification defined a
+    <a href="http://www.w3.org/TR/2015/CR-CSP2-20150721/#csp-request-header"><code>CSP</code>
+    request header</a> which servers could use (in conjunction with the
+    <code>referer</code> and <code>origin</code> headers) to determine whether
+    or not it was completely safe to redirect a user. This header caused some
+    issues with CORS processing (tracked in
+    <a href="https://github.com/whatwg/fetch/issues/52">whatwg/fetch#52</a>),
+    and has been punted to the next version of this document.
   </section>
 </section>
 

diff --git a/specs/CSP2/published/2015-08-PR.html b/specs/CSP2/published/2015-08-PR.html
@@ -307,7 +307,7 @@ <h2 class="no-num no-toc no-ref heading settled" id="contents"><span class="cont
     <li><a href="#security-considerations"><span class="secno">9</span> <span class="content">Security Considerations</span></a>
      <ul class="toc">
       <li><a href="#security-css-parsing"><span class="secno">9.1</span> <span class="content">Cascading Style Sheet (CSS) Parsing</span></a>
-      <li><a href="#security-violation-reports"><span class="secno">9.2</span> <span class="content">Violation Reports</span></a>
+      <li><a href="#security-redirects"><span class="secno">9.2</span> <span class="content">Redirect Information Leakage</span></a>
      </ul>
     <li><a href="#implementation-considerations"><span class="secno">10</span> <span class="content">Implementation Considerations</span></a>
      <ul class="toc">
@@ -4924,7 +4924,7 @@ <h3 class="heading settled" data-level="9.1" id="security-css-parsing"><span cla
 
     <section>
 
-     <h3 class="heading settled" data-level="9.2" id="security-violation-reports"><span class="secno">9.2. </span><span class="content">Violation Reports</span><a class="self-link" href="#security-violation-reports"></a></h3>
+     <h3 class="heading settled" data-level="9.2" id="security-redirects"><span class="secno">9.2. </span><span class="content">Redirect Information Leakage</span><a class="self-link" href="#security-redirects"></a></h3>
 
 
 
@@ -4941,6 +4941,20 @@ <h3 class="heading settled" data-level="9.2" id="security-violation-reports"><sp
     such as session identifiers or purported identities. For this reason, the
     user agent includes only the origin of the blocked URL.</p>
 
+
+
+     <p>The mitigations are not complete, however: redirects which are blocked will
+    produce side-effects which may be visible to JavaScript (via
+    <code>img.naturalHeight</code>, for instance). An earlier version of this
+    specification defined a
+    <a href="http://www.w3.org/TR/2015/CR-CSP2-20150721/#csp-request-header"><code>CSP</code>
+    request header</a> which servers could use (in conjunction with the
+    <code>referer</code> and <code>origin</code> headers) to determine whether
+    or not it was completely safe to redirect a user. This header caused some
+    issues with CORS processing (tracked in
+    <a href="https://github.com/whatwg/fetch/issues/52">whatwg/fetch#52</a>),
+    and has been punted to the next version of this document.</p>
+
 
     </section>
 </section>