- From: gaz Heyes <gazheyes@gmail.com>
- Date: Mon, 27 Jun 2011 21:33:05 +0100
- To: Brian Smith <bsmith@mozilla.com>
- Cc: public-web-security@w3.org
Received on Monday, 27 June 2011 20:33:32 UTC
On 27 June 2011 19:29, Brian Smith <bsmith@mozilla.com> wrote: > I think CSP should prevent against attacks that involve redirecting the > user, e.g.: > > <meta http-equiv="refresh" > content="0; url=http://attacker.com/"> > > or (on *HTTPS*://example.org/): > > <meta http-equiv="refresh" > content="0; url=http://example.org/"> > > Especially since most pages don't use this mechanism, this seems like a > good thing to allow websites to disable. > I'd also disable setting cookies too if it doesn't already do so
Received on Monday, 27 June 2011 20:33:32 UTC