On Wed, Jun 11, 2014 at 11:20 AM, Sigbjørn Vik <sigbjorn@opera.com> wrote:
> On 11-Jun-14 10:14, Mike West wrote:
> > * Reporting does not include the origin of a redirect's target, but only
> > the origin of the originally requested URL.
>
> This helps, but still does not alleviate the problem that an attacker
> can still tell if the requested URL was redirected or not. What happened
> to the suggestion that:
>
> If the request a) contains a source list directive, b) contains an
> unsafe-redirect directive, and c) is cross domain, then it must state so
> by including the following HTTP header: "CSP:
> redirection-detection-possible".
>
Apologies. I did write this bit, but neglected to actually commit it. It's
been a long week. :)
https://github.com/w3c/webappsec/commit/049a3c94817770487e21d6151b135bca4b19ba46
And, actually, I didn't think about the 'unsafe-redirect' bit:
https://github.com/w3c/webappsec/commit/a8a566391e9161139822c9fd0e880626abbdad15
WDYT? It's implemented with different syntax than you've suggested here,
but the idea is the same.
-mike
--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)