W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP: Block redirects by default?

From: Joshua Peek <josh@joshpeek.com>
Date: Thu, 5 Jun 2014 14:26:31 -0500
Message-ID: <CA+RmjJJWjQk74LgwvRsNA-_iRA_PVzV+Oa3p82TWW=eoY4bQ+Q@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Sigbjørn Vik <sigbjorn@opera.com>, Neil Matatall <neilm@twitter.com>, Danesh Irani <danesh@google.com>
Thanks Mike, that sounds good to me.

The "unsafe-" prefix probably fits in best with the existing
"unsafe-eval" and "unsafe-inline" directives, but it does kinda make
it sound like it would allow redirects to unwhitelisted sources. Thats
still not the case correct?

I'm really excited about the CSP 1.1 changes, but with some of the
changes being backwards incompatible, do you think it would be worth
documenting a default CSP 1.1 policy that acts like CSP 1.0? For this
case, noting that `default-src 'unsafe-redirect'` would act like 1.0

On Thu, Jun 5, 2014 at 2:03 PM, Mike West <mkwst@google.com> wrote:
> Thanks Josh!
>
> On Thu, Jun 5, 2014 at 6:07 PM, Joshua Peek <josh@joshpeek.com> wrote:
>>
>> May need some additional clarification, does anything change if
>> "unsafe-redirect" IS NOT used? Or "unsafe-redirect" is basically the
>> 1.0 default for all sources?
>
>
> The idea is that redirects would be blocked by default, period, regardless
> of whether they're whitelisted.
>
> If you need redirects, you would add 'unsafe-redirect', and you'd get
> status-quo behavior.
>
>> As of 1.0, it seemed like you needed to whitelist any source along the
>> redirect chain. That seemed acceptable to me. At GitHub, we've taken
>> steps to reduce redirects just to simply the CSP policy. We may still
>> have some same origin redirects for img-src. Would those be okay?
>
>
> If that's what you need, add 'unsafe-redirect' to 'img-src`! That would
> continue to block redirects for other resource types, and give you the 1.0
> behavior you're used to for images.
>
> -mike
Received on Thursday, 5 June 2014 19:26:58 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC