[tahoe-dev] Content-Security-Policy, and referrer leakage for capabilities-in-URLs
David-Sarah Hopwood
david-sarah at jacaranda.org
Thu Sep 13 04:26:07 UTC 2012
[repost to tahoe-dev since I sent this from the wrong address]
Content-Security-Policy is a way of allowing web servers to specify more restrictive
security policies (than the usual web defaults) that apply to all or some of the documents
they serve, mainly with the intent of limiting XSS and other injection attacks:
<https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html>
I wrote an addition to the spec that prevents leakage of URIs in the Referer header,
and in a couple of related ways (document.referrer, window.opener, and the Origin header).
This is useful for systems that encode capabilities in URLs, such as Tahoe-LAFS,
although it isn't intended to fix all of the problems with doing that by itself.
I'd like interested people to review it before I propose it formally.
It is available at
https://tahoe-lafs.org/trac/tahoe-lafs/attachment/ticket/127/restrict-referrer-leakage.txt
--
David-Sarah Hopwood ⚥
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20120913/f6ba30f7/attachment.pgp>
More information about the tahoe-dev
mailing list