On Thu, Jun 5, 2014 at 9:26 PM, Joshua Peek <josh@joshpeek.com> wrote: > The "unsafe-" prefix probably fits in best with the existing > "unsafe-eval" and "unsafe-inline" directives, but it does kinda make > it sound like it would allow redirects to unwhitelisted sources. Thats > still not the case correct? > No, except insofar as we drop the path component from consideration after a redirect (see https://w3c.github.io/webappsec/specs/content-security-policy/#source-list-paths-and-redirects where that's hopefully well explained). > I'm really excited about the CSP 1.1 changes, but with some of the > changes being backwards incompatible, do you think it would be worth > documenting a default CSP 1.1 policy that acts like CSP 1.0? For this > case, noting that `default-src 'unsafe-redirect'` would act like 1.0 > Yes, absolutely. Part of the "let's finally get CSP 1.1 out the door" process (see an email I'm going to write right after this one...), should be clearly documenting the differences between 1.0 and 1.1 in a way that developers can wrap their brains around. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 11 June 2014 07:12:32 UTC