On Wed, Jun 11, 2014 at 11:20 AM, Sigbjørn Vik <sigbjorn@opera.com> wrote: > On 11-Jun-14 10:14, Mike West wrote: > > * Reporting does not include the origin of a redirect's target, but only > > the origin of the originally requested URL. > > This helps, but still does not alleviate the problem that an attacker > can still tell if the requested URL was redirected or not. What happened > to the suggestion that: > > If the request a) contains a source list directive, b) contains an > unsafe-redirect directive, and c) is cross domain, then it must state so > by including the following HTTP header: "CSP: > redirection-detection-possible". > Apologies. I did write this bit, but neglected to actually commit it. It's been a long week. :) https://github.com/w3c/webappsec/commit/049a3c94817770487e21d6151b135bca4b19ba46 And, actually, I didn't think about the 'unsafe-redirect' bit: https://github.com/w3c/webappsec/commit/a8a566391e9161139822c9fd0e880626abbdad15 WDYT? It's implemented with different syntax than you've suggested here, but the idea is the same. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 11 June 2014 10:27:16 UTC