W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CfC to publish a LCWD of CSP 1.1

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Wed, 11 Jun 2014 11:20:32 +0200
Message-ID: <53981F60.8000107@opera.com>
To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
CC: Dan Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Barth <w3c@adambarth.com>
On 11-Jun-14 10:14, Mike West wrote:
> * Reporting does not include the origin of a redirect's target, but only
> the origin of the originally requested URL.

This helps, but still does not alleviate the problem that an attacker
can still tell if the requested URL was redirected or not. What happened
to the suggestion that:

If the request a) contains a source list directive, b) contains an
unsafe-redirect directive, and c) is cross domain, then it must state so
by including the following HTTP header: "CSP:
redirection-detection-possible".

This allows webmasters so inclined to protect their sites.

-- 
Sigbjørn Vik
Opera Software
Received on Wednesday, 11 June 2014 09:21:05 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC