- From: Neil Matatall <neilm@twitter.com>
- Date: Thu, 5 Jun 2014 12:22:12 -0700
- To: Mike West <mkwst@google.com>
- Cc: Joshua Peek <josh@joshpeek.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Sigbjørn Vik <sigbjorn@opera.com>, Danesh Irani <danesh@google.com>
It doesn't look like this will matter for twitter.com, but many of the subdomains (where CSP is actually enforced) are relying on this. They shouldn't, so I don't want to let that stop anything. On Thu, Jun 5, 2014 at 12:03 PM, Mike West <mkwst@google.com> wrote: > Thanks Josh! > > On Thu, Jun 5, 2014 at 6:07 PM, Joshua Peek <josh@joshpeek.com> wrote: >> >> May need some additional clarification, does anything change if >> "unsafe-redirect" IS NOT used? Or "unsafe-redirect" is basically the >> 1.0 default for all sources? > > > The idea is that redirects would be blocked by default, period, regardless > of whether they're whitelisted. > > If you need redirects, you would add 'unsafe-redirect', and you'd get > status-quo behavior. > >> As of 1.0, it seemed like you needed to whitelist any source along the >> redirect chain. That seemed acceptable to me. At GitHub, we've taken >> steps to reduce redirects just to simply the CSP policy. We may still >> have some same origin redirects for img-src. Would those be okay? > > > If that's what you need, add 'unsafe-redirect' to 'img-src`! That would > continue to block redirects for other resource types, and give you the 1.0 > behavior you're used to for images. > > -mike
Received on Thursday, 5 June 2014 19:22:40 UTC