W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CfC to publish a LCWD of CSP 1.1

From: Mike West <mkwst@google.com>
Date: Wed, 11 Jun 2014 12:26:28 +0200
Message-ID: <CAKXHy=eA3pjbE+DMQVVG5tgn_kr0LtZ+cMvNh580_S4--6Y4WA@mail.gmail.com>
To: Sigbjørn Vik <sigbjorn@opera.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Barth <w3c@adambarth.com>
On Wed, Jun 11, 2014 at 11:20 AM, Sigbjørn Vik <sigbjorn@opera.com> wrote:

> On 11-Jun-14 10:14, Mike West wrote:
> > * Reporting does not include the origin of a redirect's target, but only
> > the origin of the originally requested URL.
>
> This helps, but still does not alleviate the problem that an attacker
> can still tell if the requested URL was redirected or not. What happened
> to the suggestion that:
>
> If the request a) contains a source list directive, b) contains an
> unsafe-redirect directive, and c) is cross domain, then it must state so
> by including the following HTTP header: "CSP:
> redirection-detection-possible".
>

Apologies. I did write this bit, but neglected to actually commit it. It's
been a long week. :)

https://github.com/w3c/webappsec/commit/049a3c94817770487e21d6151b135bca4b19ba46

And, actually, I didn't think about the 'unsafe-redirect' bit:
https://github.com/w3c/webappsec/commit/a8a566391e9161139822c9fd0e880626abbdad15

WDYT? It's implemented with different syntax than you've suggested here,
but the idea is the same.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 11 June 2014 10:27:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC