Re: CfC to publish a LCWD of CSP 1.1

On 11-Jun-14 12:26, Mike West wrote:

>     If the request a) contains a source list directive, b) contains an
>     unsafe-redirect directive, and c) is cross domain, then it must state so
>     by including the following HTTP header: "CSP:
>     redirection-detection-possible".
> Apologies. I did write this bit, but neglected to actually commit it.
> It's been a long week. :)

Looks good, then I have no further objections. Thanks for the
constructive work, and putting up with my paranoia :)

> And, actually, I didn't think about the 'unsafe-redirect'
> bit:
> WDYT? It's implemented with different syntax than you've suggested here,
> but the idea is the same.

Optionally, include the cross domain check.

I think the following code has one too many nots in it:
"source list <em>does not</em> contain the  <code>'unsafe-redirect'</code>"

Sigbjørn Vik
Opera Software

Received on Wednesday, 11 June 2014 10:42:16 UTC