CSP: meta-refresh directive? from Brian Smith on 2011-06-27 (public-web-security@w3.org from June 2011)

From: Brian Smith <bsmith@mozilla.com>
Date: Mon, 27 Jun 2011 11:29:25 -0700 (PDT)
To: public-web-security@w3.org
Message-ID: <1489909406.349329.1309199365871.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>

I think CSP should prevent against attacks that involve redirecting the user, e.g.:

    <meta http-equiv="refresh"
          content="0; url=http://attacker.com/">

or (on *HTTPS*://example.org/):

    <meta http-equiv="refresh"
          content="0; url=http://example.org/">

Especially since most pages don't use this mechanism, this seems like a good thing to allow websites to disable.

- Brian

Received on Monday, 27 June 2011 18:30:03 UTC