W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP: meta-refresh directive?

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 27 Jun 2011 14:02:01 -0700
Message-ID: <BANLkTik=61yiSqMyQxE=SSCJJfQKjUxvaw@mail.gmail.com>
To: Brian Smith <bsmith@mozilla.com>
Cc: public-web-security@w3.org
That sounds like a good idea for the next iteration.  Maybe we should
start a wiki page with these ideas?  We're trying to resist feature
creep and get something shippable in the near term.

Adam


On Mon, Jun 27, 2011 at 11:29 AM, Brian Smith <bsmith@mozilla.com> wrote:
> I think CSP should prevent against attacks that involve redirecting the user, e.g.:
>
>    <meta http-equiv="refresh"
>          content="0; url=http://attacker.com/">
>
> or (on *HTTPS*://example.org/):
>
>    <meta http-equiv="refresh"
>          content="0; url=http://example.org/">
>
> Especially since most pages don't use this mechanism, this seems like a good thing to allow websites to disable.
>
> - Brian
>
>
Received on Monday, 27 June 2011 21:02:59 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC