W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP: Block redirects by default?

From: Joshua Peek <josh@joshpeek.com>
Date: Thu, 5 Jun 2014 11:07:28 -0500
Message-ID: <CA+RmjJ+WV94HReg_2hJPDf2_ZxKVbnmAK0PkWEggUVrKcQq2Ng@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Sigbjørn Vik <sigbjorn@opera.com>, Neil Matatall <neilm@twitter.com>, Danesh Irani <danesh@google.com>
May need some additional clarification, does anything change if
"unsafe-redirect" IS NOT used? Or "unsafe-redirect" is basically the
1.0 default for all sources?

As of 1.0, it seemed like you needed to whitelist any source along the
redirect chain. That seemed acceptable to me. At GitHub, we've taken
steps to reduce redirects just to simply the CSP policy. We may still
have some same origin redirects for img-src. Would those be okay?

On Thu, Jun 5, 2014 at 6:08 AM, Mike West <mkwst@google.com> wrote:
> In response to the discussion on the other thread, I've put up a "block
> redirects by default" proposal at https://github.com/w3c/webappsec/pull/32.
> I'll poke the folks I know using CSP on a large scale to see if such a
> change is at all compatible with their existing policies. I suspect it will
> be.
>
> Neil: Would Twitter be impacted by such a change?
> Josh: How about GitHub?
> Danesh: Any insight into the various Google properties you've seen?
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 5 June 2014 16:07:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC