W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CfC to publish a LCWD of CSP 1.1

From: Mike West <mkwst@google.com>
Date: Wed, 11 Jun 2014 12:26:28 +0200
Message-ID: <CAKXHy=eA3pjbE+DMQVVG5tgn_kr0LtZ+cMvNh580_S4--6Y4WA@mail.gmail.com>
To: Sigbjørn Vik <sigbjorn@opera.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Barth <w3c@adambarth.com>
On Wed, Jun 11, 2014 at 11:20 AM, Sigbjørn Vik <sigbjorn@opera.com> wrote:

> On 11-Jun-14 10:14, Mike West wrote:
> > * Reporting does not include the origin of a redirect's target, but only
> > the origin of the originally requested URL.
> This helps, but still does not alleviate the problem that an attacker
> can still tell if the requested URL was redirected or not. What happened
> to the suggestion that:
> If the request a) contains a source list directive, b) contains an
> unsafe-redirect directive, and c) is cross domain, then it must state so
> by including the following HTTP header: "CSP:
> redirection-detection-possible".

Apologies. I did write this bit, but neglected to actually commit it. It's
been a long week. :)


And, actually, I didn't think about the 'unsafe-redirect' bit:

WDYT? It's implemented with different syntax than you've suggested here,
but the idea is the same.


Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 11 June 2014 10:27:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC