CSP: Block redirects by default? from Mike West on 2014-06-05 (public-webappsec@w3.org from June 2014)

From: Mike West <mkwst@google.com>
Date: Thu, 5 Jun 2014 13:08:59 +0200
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Sigbjørn Vik <sigbjorn@opera.com>, Neil Matatall <neilm@twitter.com>, Joshua Peek <josh@joshpeek.com>, Danesh Irani <danesh@google.com>
Message-ID: <CAKXHy=fipqi6qkeh4MdTDyCcm-GCK5puFXb8KzPy7Z9-=oPzrw@mail.gmail.com>

In response to the discussion on the other thread, I've put up a "block
redirects by default" proposal at https://github.com/w3c/webappsec/pull/32.
I'll poke the folks I know using CSP on a large scale to see if such a
change is at all compatible with their existing policies. I suspect it will
be.

Neil: Would Twitter be impacted by such a change?
Josh: How about GitHub?
Danesh: Any insight into the various Google properties you've seen?

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Thursday, 5 June 2014 11:09:47 UTC