W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP: meta-refresh directive?

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 27 Jun 2011 21:33:05 +0100
Message-ID: <BANLkTimOsUeHMV0JXckr9uwgy0VywGdtJw@mail.gmail.com>
To: Brian Smith <bsmith@mozilla.com>
Cc: public-web-security@w3.org
On 27 June 2011 19:29, Brian Smith <bsmith@mozilla.com> wrote:

> I think CSP should prevent against attacks that involve redirecting the
> user, e.g.:
>
>    <meta http-equiv="refresh"
>          content="0; url=http://attacker.com/">
>
> or (on *HTTPS*://example.org/):
>
>    <meta http-equiv="refresh"
>          content="0; url=http://example.org/">
>
> Especially since most pages don't use this mechanism, this seems like a
> good thing to allow websites to disable.
>

I'd also disable setting cookies too if it doesn't already do so
Received on Monday, 27 June 2011 20:33:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC