W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP: Block redirects by default?

From: Neil Matatall <neilm@twitter.com>
Date: Thu, 5 Jun 2014 12:22:12 -0700
Message-ID: <CAOFLtbh=FuN6_gDzO42PCJbtuyGYatsoXz7jYBSvHGZDtiGA7Q@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Joshua Peek <josh@joshpeek.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Sigbjørn Vik <sigbjorn@opera.com>, Danesh Irani <danesh@google.com>
It doesn't look like this will matter for twitter.com, but many of the
subdomains (where CSP is actually enforced) are relying on this.

They shouldn't, so I don't want to let that stop anything.

On Thu, Jun 5, 2014 at 12:03 PM, Mike West <mkwst@google.com> wrote:
> Thanks Josh!
>
> On Thu, Jun 5, 2014 at 6:07 PM, Joshua Peek <josh@joshpeek.com> wrote:
>>
>> May need some additional clarification, does anything change if
>> "unsafe-redirect" IS NOT used? Or "unsafe-redirect" is basically the
>> 1.0 default for all sources?
>
>
> The idea is that redirects would be blocked by default, period, regardless
> of whether they're whitelisted.
>
> If you need redirects, you would add 'unsafe-redirect', and you'd get
> status-quo behavior.
>
>> As of 1.0, it seemed like you needed to whitelist any source along the
>> redirect chain. That seemed acceptable to me. At GitHub, we've taken
>> steps to reduce redirects just to simply the CSP policy. We may still
>> have some same origin redirects for img-src. Would those be okay?
>
>
> If that's what you need, add 'unsafe-redirect' to 'img-src`! That would
> continue to block redirects for other resource types, and give you the 1.0
> behavior you're used to for images.
>
> -mike
Received on Thursday, 5 June 2014 19:22:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC