Re: CfC to publish a LCWD of CSP 1.1

On 11-Jun-14 10:14, Mike West wrote:
> * Reporting does not include the origin of a redirect's target, but only
> the origin of the originally requested URL.

This helps, but still does not alleviate the problem that an attacker
can still tell if the requested URL was redirected or not. What happened
to the suggestion that:

If the request a) contains a source list directive, b) contains an
unsafe-redirect directive, and c) is cross domain, then it must state so
by including the following HTTP header: "CSP:

This allows webmasters so inclined to protect their sites.

Sigbjørn Vik
Opera Software

Received on Wednesday, 11 June 2014 09:21:05 UTC