W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP: Block redirects by default?

From: Mike West <mkwst@google.com>
Date: Wed, 11 Jun 2014 09:11:38 +0200
Message-ID: <CAKXHy=dFwf0gA0GCfqVy20+372QysdXXF8XRK+x0VrJXbNufxw@mail.gmail.com>
To: Joshua Peek <josh@joshpeek.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Sigbjørn Vik <sigbjorn@opera.com>, Neil Matatall <neilm@twitter.com>, Danesh Irani <danesh@google.com>
On Thu, Jun 5, 2014 at 9:26 PM, Joshua Peek <josh@joshpeek.com> wrote:

> The "unsafe-" prefix probably fits in best with the existing
> "unsafe-eval" and "unsafe-inline" directives, but it does kinda make
> it sound like it would allow redirects to unwhitelisted sources. Thats
> still not the case correct?
>

No, except insofar as we drop the path component from consideration after a
redirect (see
https://w3c.github.io/webappsec/specs/content-security-policy/#source-list-paths-and-redirects
where that's hopefully well explained).


> I'm really excited about the CSP 1.1 changes, but with some of the
> changes being backwards incompatible, do you think it would be worth
> documenting a default CSP 1.1 policy that acts like CSP 1.0? For this
> case, noting that `default-src 'unsafe-redirect'` would act like 1.0
>

Yes, absolutely. Part of the "let's finally get CSP 1.1 out the door"
process (see an email I'm going to write right after this one...), should
be clearly documenting the differences between 1.0 and 1.1 in a way that
developers can wrap their brains around.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 11 June 2014 07:12:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC