On Tue, Apr 28, 2015 at 10:11 PM, Brad Hill <hillbrad@gmail.com> wrote: > <hat=individual> > Good points. I don't imagine we'd ever allow such a policy to prevent > using, e.g the built-in back buttons or closing the tab. (Not that back > always helps in a long redirect chain, but that's an issue we have to deal > with today independent of any such directive) > Yes, I did not mean to preclude the user manually using the "back" button--that should function as a user expects. I just meant that an interstitial type page (if a user agent even decides that's the appropriate response to a navigation violation) should not encourage the user to return to the protected resource as a default action. We know that either the page was compromised or it is abusing CSP to keep visitors from leaving. - Dan Veditz
Received on Wednesday, 29 April 2015 08:56:31 UTC