W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

Re: CSP: meta-refresh directive?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 30 Jun 2011 19:42:42 -0700
Message-ID: <4E0D3422.8070706@mozilla.com>
To: Brian Smith <bsmith@mozilla.com>
CC: public-web-security@w3.org
On 6/27/11 11:29 AM, Brian Smith wrote:
> I think CSP should prevent against attacks that involve
> redirecting the user, e.g.:
> 
> <meta http-equiv="refresh" content="0;
> url=http://attacker.com/">

Why single out meta refresh? We've talked about whether it makes
sense to limit navigation and meta refresh seems like a subset. It
would be strange to restrict a meta refresh set to 30 seconds (say)
and not <body onload="window.location.href='http://attacker.com/'>.
Or to cover short meta refreshes (0 only? < 5 secs?) and not
restrict longer ones.

-Dan Veditz
Received on Friday, 1 July 2011 02:43:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 July 2011 02:43:18 GMT