- From: Sigbjørn Vik <sigbjorn@opera.com>
- Date: Wed, 11 Jun 2014 12:41:43 +0200
- To: Mike West <mkwst@google.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Barth <w3c@adambarth.com>
On 11-Jun-14 12:26, Mike West wrote: > If the request a) contains a source list directive, b) contains an > unsafe-redirect directive, and c) is cross domain, then it must state so > by including the following HTTP header: "CSP: > redirection-detection-possible". > > Apologies. I did write this bit, but neglected to actually commit it. > It's been a long week. :) Looks good, then I have no further objections. Thanks for the constructive work, and putting up with my paranoia :) > And, actually, I didn't think about the 'unsafe-redirect' > bit: https://github.com/w3c/webappsec/commit/a8a566391e9161139822c9fd0e880626abbdad15 > > WDYT? It's implemented with different syntax than you've suggested here, > but the idea is the same. Optionally, include the cross domain check. I think the following code has one too many nots in it: "source list <em>does not</em> contain the <code>'unsafe-redirect'</code>" -- Sigbjørn Vik Opera Software
Received on Wednesday, 11 June 2014 10:42:16 UTC