Re: CSP2: Drop 'unsafe-redirect'. from Mike West on 2015-07-01 (public-webappsec@w3.org from July 2015)

From: Mike West <mkwst@google.com>
Date: Wed, 1 Jul 2015 16:32:30 +0200
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
Message-ID: <CAKXHy=eP3hJNe+zc51bC3Bq-JnD8hCXJA_7KzFxmOdxVa3ZAsQ@mail.gmail.com>

On Wed, Jul 1, 2015 at 4:25 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Jul 1, 2015 at 4:12 PM, Mike West <mkwst@google.com> wrote:
> > Experimentation locally on internal sites leads me to believe that it's
> not
> > going to be web compatible: I didn't find any Google property that used
> CSP
> > which the new behavior wouldn't break in some way.
>
> How are we going to protect the scenario instead?
>

The other redirect-related changes are sufficient to mitigate the risks (we
no longer consider the path component after a redirect, and we send a `CSP`
header to inform the server that cross-origin redirects might be visible).
`unsafe-redirect` was an opt-out mechanism that changed redirect behavior
in general, but didn't provide any security benefit. If there's desire, we
could make that an opt-in behavior instead, but we'd likely need to invent
some new syntax, and I'd prefer to defer that to CSP3 where I want to
rewrite everything anyway.

-mike

Received on Wednesday, 1 July 2015 14:33:18 UTC