Re: CSP: Block redirects by default?

May need some additional clarification, does anything change if
"unsafe-redirect" IS NOT used? Or "unsafe-redirect" is basically the
1.0 default for all sources?

As of 1.0, it seemed like you needed to whitelist any source along the
redirect chain. That seemed acceptable to me. At GitHub, we've taken
steps to reduce redirects just to simply the CSP policy. We may still
have some same origin redirects for img-src. Would those be okay?

On Thu, Jun 5, 2014 at 6:08 AM, Mike West <> wrote:
> In response to the discussion on the other thread, I've put up a "block
> redirects by default" proposal at
> I'll poke the folks I know using CSP on a large scale to see if such a
> change is at all compatible with their existing policies. I suspect it will
> be.
> Neil: Would Twitter be impacted by such a change?
> Josh: How about GitHub?
> Danesh: Any insight into the various Google properties you've seen?
> --
> Mike West <>
> Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Thursday, 5 June 2014 16:07:55 UTC