CSP: meta-refresh directive?

I think CSP should prevent against attacks that involve redirecting the user, e.g.:

    <meta http-equiv="refresh"
          content="0; url=http://attacker.com/">

or (on *HTTPS*://example.org/):

    <meta http-equiv="refresh"
          content="0; url=http://example.org/">

Especially since most pages don't use this mechanism, this seems like a good thing to allow websites to disable.

- Brian

Received on Monday, 27 June 2011 18:30:03 UTC