On Sun, May 5, 2013 at 10:15 AM, Eduardo' Vela <evn@google.com> wrote:
> For what is worth you can also detect redirects without CSP with iframes
> (change the location's hash and see if it triggers a load event).
>
In this particular case, you can't, as the 'X-Frame-Options' header blocks
the page from ever loading (It's arguable, actually, that the redirect
shouldn't happen in a frame, since both the initial and final target
attempt to deny framing).
Regardless, this certainly wouldn't be the only mechanism of leaking this
sort of state, but it would be nice not to add new holes to the platform. :/
> I don't think paths are the root of the problem though, there are also
> cross-origin redirects quite often (eg, most sites redirect to a login-only
> origin such as accounts.google.com when the user is logged out).
>
Indeed.
-mike