W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

CSP: meta-refresh directive?

From: Brian Smith <bsmith@mozilla.com>
Date: Mon, 27 Jun 2011 11:29:25 -0700 (PDT)
To: public-web-security@w3.org
Message-ID: <1489909406.349329.1309199365871.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>
I think CSP should prevent against attacks that involve redirecting the user, e.g.:

    <meta http-equiv="refresh"
          content="0; url=http://attacker.com/">

or (on *HTTPS*://example.org/):

    <meta http-equiv="refresh"
          content="0; url=http://example.org/">

Especially since most pages don't use this mechanism, this seems like a good thing to allow websites to disable.

- Brian
Received on Monday, 27 June 2011 18:30:03 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC