- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 27 Jun 2011 14:02:01 -0700
- To: Brian Smith <bsmith@mozilla.com>
- Cc: public-web-security@w3.org
That sounds like a good idea for the next iteration. Maybe we should start a wiki page with these ideas? We're trying to resist feature creep and get something shippable in the near term. Adam On Mon, Jun 27, 2011 at 11:29 AM, Brian Smith <bsmith@mozilla.com> wrote: > I think CSP should prevent against attacks that involve redirecting the user, e.g.: > > <meta http-equiv="refresh" > content="0; url=http://attacker.com/"> > > or (on *HTTPS*://example.org/): > > <meta http-equiv="refresh" > content="0; url=http://example.org/"> > > Especially since most pages don't use this mechanism, this seems like a good thing to allow websites to disable. > > - Brian > >
Received on Monday, 27 June 2011 21:02:59 UTC