- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 30 Jun 2011 19:42:42 -0700
- To: Brian Smith <bsmith@mozilla.com>
- CC: public-web-security@w3.org
On 6/27/11 11:29 AM, Brian Smith wrote: > I think CSP should prevent against attacks that involve > redirecting the user, e.g.: > > <meta http-equiv="refresh" content="0; > url=http://attacker.com/"> Why single out meta refresh? We've talked about whether it makes sense to limit navigation and meta refresh seems like a subset. It would be strange to restrict a meta refresh set to 30 seconds (say) and not <body onload="window.location.href='http://attacker.com/'>. Or to cover short meta refreshes (0 only? < 5 secs?) and not restrict longer ones. -Dan Veditz
Received on Friday, 1 July 2011 02:43:18 UTC