W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CfC to publish a LCWD of CSP 1.1

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Wed, 11 Jun 2014 12:41:43 +0200
Message-ID: <53983267.3050002@opera.com>
To: Mike West <mkwst@google.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Barth <w3c@adambarth.com>
On 11-Jun-14 12:26, Mike West wrote:

>     If the request a) contains a source list directive, b) contains an
>     unsafe-redirect directive, and c) is cross domain, then it must state so
>     by including the following HTTP header: "CSP:
>     redirection-detection-possible".
> Apologies. I did write this bit, but neglected to actually commit it.
> It's been a long week. :)

Looks good, then I have no further objections. Thanks for the
constructive work, and putting up with my paranoia :)

> And, actually, I didn't think about the 'unsafe-redirect'
> bit: https://github.com/w3c/webappsec/commit/a8a566391e9161139822c9fd0e880626abbdad15
> WDYT? It's implemented with different syntax than you've suggested here,
> but the idea is the same.

Optionally, include the cross domain check.

I think the following code has one too many nots in it:
"source list <em>does not</em> contain the  <code>'unsafe-redirect'</code>"

Sigbjørn Vik
Opera Software
Received on Wednesday, 11 June 2014 10:42:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC