- From: Sigbjørn Vik <sigbjorn@opera.com>
- Date: Wed, 11 Jun 2014 11:20:32 +0200
- To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- CC: Dan Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Barth <w3c@adambarth.com>
On 11-Jun-14 10:14, Mike West wrote: > * Reporting does not include the origin of a redirect's target, but only > the origin of the originally requested URL. This helps, but still does not alleviate the problem that an attacker can still tell if the requested URL was redirected or not. What happened to the suggestion that: If the request a) contains a source list directive, b) contains an unsafe-redirect directive, and c) is cross domain, then it must state so by including the following HTTP header: "CSP: redirection-detection-possible". This allows webmasters so inclined to protect their sites. -- Sigbjørn Vik Opera Software
Received on Wednesday, 11 June 2014 09:21:05 UTC