Re: CSP: meta-refresh directive? from gaz Heyes on 2011-06-27 (public-web-security@w3.org from June 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 27 Jun 2011 21:33:05 +0100
To: Brian Smith <bsmith@mozilla.com>
Cc: public-web-security@w3.org
Message-ID: <BANLkTimOsUeHMV0JXckr9uwgy0VywGdtJw@mail.gmail.com>

On 27 June 2011 19:29, Brian Smith <bsmith@mozilla.com> wrote:

> I think CSP should prevent against attacks that involve redirecting the
> user, e.g.:
>
>    <meta http-equiv="refresh"
>          content="0; url=http://attacker.com/">
>
> or (on *HTTPS*://example.org/):
>
>    <meta http-equiv="refresh"
>          content="0; url=http://example.org/">
>
> Especially since most pages don't use this mechanism, this seems like a
> good thing to allow websites to disable.
>

I'd also disable setting cookies too if it doesn't already do so

Received on Monday, 27 June 2011 20:33:32 UTC