- From: Joshua Peek <josh@joshpeek.com>
- Date: Thu, 5 Jun 2014 14:26:31 -0500
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Sigbjørn Vik <sigbjorn@opera.com>, Neil Matatall <neilm@twitter.com>, Danesh Irani <danesh@google.com>
Thanks Mike, that sounds good to me. The "unsafe-" prefix probably fits in best with the existing "unsafe-eval" and "unsafe-inline" directives, but it does kinda make it sound like it would allow redirects to unwhitelisted sources. Thats still not the case correct? I'm really excited about the CSP 1.1 changes, but with some of the changes being backwards incompatible, do you think it would be worth documenting a default CSP 1.1 policy that acts like CSP 1.0? For this case, noting that `default-src 'unsafe-redirect'` would act like 1.0 On Thu, Jun 5, 2014 at 2:03 PM, Mike West <mkwst@google.com> wrote: > Thanks Josh! > > On Thu, Jun 5, 2014 at 6:07 PM, Joshua Peek <josh@joshpeek.com> wrote: >> >> May need some additional clarification, does anything change if >> "unsafe-redirect" IS NOT used? Or "unsafe-redirect" is basically the >> 1.0 default for all sources? > > > The idea is that redirects would be blocked by default, period, regardless > of whether they're whitelisted. > > If you need redirects, you would add 'unsafe-redirect', and you'd get > status-quo behavior. > >> As of 1.0, it seemed like you needed to whitelist any source along the >> redirect chain. That seemed acceptable to me. At GitHub, we've taken >> steps to reduce redirects just to simply the CSP policy. We may still >> have some same origin redirects for img-src. Would those be okay? > > > If that's what you need, add 'unsafe-redirect' to 'img-src`! That would > continue to block redirects for other resource types, and give you the 1.0 > behavior you're used to for images. > > -mike
Received on Thursday, 5 June 2014 19:26:58 UTC