Re: CSP: Block redirects by default?

On Thu, Jun 5, 2014 at 9:26 PM, Joshua Peek <> wrote:

> The "unsafe-" prefix probably fits in best with the existing
> "unsafe-eval" and "unsafe-inline" directives, but it does kinda make
> it sound like it would allow redirects to unwhitelisted sources. Thats
> still not the case correct?

No, except insofar as we drop the path component from consideration after a
redirect (see
where that's hopefully well explained).

> I'm really excited about the CSP 1.1 changes, but with some of the
> changes being backwards incompatible, do you think it would be worth
> documenting a default CSP 1.1 policy that acts like CSP 1.0? For this
> case, noting that `default-src 'unsafe-redirect'` would act like 1.0

Yes, absolutely. Part of the "let's finally get CSP 1.1 out the door"
process (see an email I'm going to write right after this one...), should
be clearly documenting the differences between 1.0 and 1.1 in a way that
developers can wrap their brains around.


Mike West <>
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Wednesday, 11 June 2014 07:12:32 UTC