Thanks Josh! On Thu, Jun 5, 2014 at 6:07 PM, Joshua Peek <josh@joshpeek.com> wrote: > May need some additional clarification, does anything change if > "unsafe-redirect" IS NOT used? Or "unsafe-redirect" is basically the > 1.0 default for all sources? > The idea is that redirects would be blocked by default, period, regardless of whether they're whitelisted. If you need redirects, you would add 'unsafe-redirect', and you'd get status-quo behavior. As of 1.0, it seemed like you needed to whitelist any source along the > redirect chain. That seemed acceptable to me. At GitHub, we've taken > steps to reduce redirects just to simply the CSP policy. We may still > have some same origin redirects for img-src. Would those be okay? If that's what you need, add 'unsafe-redirect' to 'img-src`! That would continue to block redirects for other resource types, and give you the 1.0 behavior you're used to for images. -mikeReceived on Thursday, 5 June 2014 19:04:29 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC