W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CfC to publish a LCWD of CSP 1.1

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 11 Jun 2014 11:31:49 +0200
Message-ID: <CADnb78i7GBoJd2B7zWNNbH=V2CP972dxK9fXX4SZWLj2F07BaQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Sigbjørn Vik <sigbjorn@opera.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Barth <w3c@adambarth.com>
On Wed, Jun 11, 2014 at 10:14 AM, Mike West <mkwst@google.com> wrote:
> * Redirects are blocked by default: authors must opt-in to enabling
> redirects (which must still match directives' source list) via the new
> 'unsafe-redirect' source expression:
> https://github.com/w3c/webappsec/commit/d1fd42a6df58ef2a7afedcd12ae2bff76a096d1a

How does this prevent the direct from happening? It seems to only talk
about the final URL?

Also, why are we still using the term URI in the specification? I feel
a bit like a broken record at this point, but CSP is the only
specifications that does this within web platform land.

It also still talks about 400 response. I raised the point about it
having to be a network error ages ago. What's the hold up?

Fetch integration will be done in CSP 1.2? I was sort of hoping
sooner, but I guess that is okay.


-- 
http://annevankesteren.nl/
Received on Wednesday, 11 June 2014 09:32:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC