On 6/27/11 11:29 AM, Brian Smith wrote: > I think CSP should prevent against attacks that involve > redirecting the user, e.g.: > > <meta http-equiv="refresh" content="0; > url=http://attacker.com/"> Why single out meta refresh? We've talked about whether it makes sense to limit navigation and meta refresh seems like a subset. It would be strange to restrict a meta refresh set to 30 seconds (say) and not <body onload="window.location.href='http://attacker.com/'>. Or to cover short meta refreshes (0 only? < 5 secs?) and not restrict longer ones. -Dan VeditzReceived on Friday, 1 July 2011 02:43:18 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 July 2011 02:43:18 GMT