Re: CSP: Block redirects by default? from Mike West on 2014-06-05 (public-webappsec@w3.org from June 2014)

From: Mike West <mkwst@google.com>
Date: Thu, 5 Jun 2014 21:03:42 +0200
To: Joshua Peek <josh@joshpeek.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Sigbjørn Vik <sigbjorn@opera.com>, Neil Matatall <neilm@twitter.com>, Danesh Irani <danesh@google.com>
Message-ID: <CAKXHy=fJv2i3Xmw00i0O_x=SzX3LuaghD=d_qcKaPeM5_jjb2w@mail.gmail.com>

Thanks Josh!

On Thu, Jun 5, 2014 at 6:07 PM, Joshua Peek <josh@joshpeek.com> wrote:

> May need some additional clarification, does anything change if
> "unsafe-redirect" IS NOT used? Or "unsafe-redirect" is basically the
> 1.0 default for all sources?
>

The idea is that redirects would be blocked by default, period, regardless
of whether they're whitelisted.

If you need redirects, you would add 'unsafe-redirect', and you'd get
status-quo behavior.

As of 1.0, it seemed like you needed to whitelist any source along the
> redirect chain. That seemed acceptable to me. At GitHub, we've taken
> steps to reduce redirects just to simply the CSP policy. We may still
> have some same origin redirects for img-src. Would those be okay?

If that's what you need, add 'unsafe-redirect' to 'img-src`! That would
continue to block redirects for other resource types, and give you the 1.0
behavior you're used to for images.

-mike

Received on Thursday, 5 June 2014 19:04:29 UTC