mkwst, what do you think about this one? I suspect this is WontFix as it seems to just be a natural consequence of CSP.

It only gets worse in 1.1, as currently specced: http://lists.w3.org/Archives/Public/public-webappsec/2013May/0022.html

I'd appreciate opinions on whether this is worth trying to mitigate, and suggestions around how we'd do that if so. As noted in the report, the only real solution is to not send a report in cross-origin cases, which would make the entire reporting feature fairly useless.

It is *already* worse and working. We don't even need onsecuritypolicy even for this.
 I just checked with 
    <meta http-equiv="Content-Security-Policy" content="frame-src https://github.com/notifications;report-uri /asdf">

and detection of login is super fast. Thankfully CSP doesn't look at query part, or there would be a way to leak authentication params.

Harumph. Thinking about this more, this is pretty bad, and I feel like we ought to try and solve it, although I, too, don't see anything near an obvious solution. Is it worth having a meeting to discuss whether this is a fundamental limitation/problem with CSP?

Also we can bruteforce /id123123 with 

def btw(from, to)
  clue = ' http://host/id'
  clue + (from..to).to_a.join(clue) 
end

get '/between' do
  from, to = params[:from].to_i, params[:to].to_i
  allowed = btw(from, to)
  return r=<<HTML
<meta http-equiv="Content-Security-Policy" content="img-src http://host/id #{allowed};report-uri /report?from=#{from}&to=#{to}">
<img src="http://host/id
HTML
end

get '/test' do
  return r=<<HTML
<iframe src="/between?from=1&to=10000"></iframe>
<iframe src="/between?from=10000&to=20000"></iframe>
<iframe src="/between?from=20000&to=30000"></iframe>
...
HTML
end

 Issue 317583  has been merged into this issue.

(No comment was entered for this change.)

Bulk unrestriction of Severity-none bugs.

(No comment was entered for this change.)

 Issue 342737  has been merged into this issue.

still not fixed. report-uri is not necessary http://homakov.blogspot.com/2014/01/using-content-security-policy-for-evil.html

I disagree with Security-Severity-None. This allows an attacker to trivially detect logged in websites, which opens a host of opportunities for phishing, spoofing, XSRF, XSS against logged-in pages, fingerprinting, targetted MiTM, server DoS, etc. At the very least, the privacy implications are major. Leaking visited history through the :visited pseudo-class is child's play compared to this.

I've been thinking about this a bit over the last few weeks while reviewing the spec before pushing for last call. I don't think there's a mitigation mechanism that's effective, short of removing path support from CSP 1.1 entirely.

I think paths are valuable, but not valuable enough to leave this vector open. I've proposed removal at http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0036.html. Please feel free to weigh in with suggestions.

Mike, report-uri is not useful in the wild, why not just leave console message, and fire "onload" event?

Firing the onload event for cross-origin image loads is probably a good idea in general, and I've already started poking at that to align the behavior with iframes.

I guess I disagree that report-uri isn't useful in the wild. It's more work, and slower, certainly, but effective.

I meant to add that firing the onload event for images doesn't actually solve the problem at all, as you can easily read the width/height to detect whether the image actually loaded. It's worth doing, as it makes the task marginally less trivial, but it's not a real mitigation to any extent.

I just don't see a way to keep report-uri and to get rid of this vuln at the same time.

Well, looking forward what will be implemented.

Ha, good job finding another bypass. So you can also set height/width to the real ones... And show some white square instead. I don't recall any other cross origin properties you can read.

I'd invite you to hop into the public-webappsec thread to make that case. I think dropping paths mitigates the risk to the point where it's acceptable (only cross-origin redirects would be detectable, rather than the ability to brute-force intra-origin paths).

Paths will mitigate this bug most of the time, but it will harm CSP goal too - what if I find a way to upload HOST/my/avatar.png and only HOST/widget.js is supposed to be used on victim's site? This is something to also consider..

Absolutely. It's a balance between strengthening CSP's expressive power, and the ability of that expressive power to be used against the user.

In any event; this is a spec discussion that isn't at all specific to Chrome, and we should really bring it over to the thread I started on public-webappsec: http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0036.html

I'll certainly implement whatever the WG agrees upon as a reasonable mitigation.

I am a bit confused here.
The result of this seems to be http://www.w3.org/TR/CSP11/#source-list-paths-and-redirects but this actually doesn't solve the original issue highlighted by Egor doesn't it ?

Yes my issue was only partially solved. Domain of destination is still disclosed.

hi Egor, thanks for your answer. Indeed AFAIU as I wrote to the we lists

"in [0] I see a section that has been written in order to address the issue spotted by Egor Homakov in [1].
Now I might have well misunderstood the all story but IMHO this doesn’t seem to solve the original issue.
E.g. if we have 

img-src example.com  

rahter than 

img-src example.com not-example.com/path

what is going to happen?
AFAIU the redirect to not-example.com will still happens hence the leaking."

[0] http://www.w3.org/TR/CSP11/#source-list-paths-and-redirects
[1] http://homakov.blogspot.de/2014/01/using-content-security-policy-for-evil.html