W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CSP2: Drop 'unsafe-redirect'.

From: Mike West <mkwst@google.com>
Date: Wed, 1 Jul 2015 16:32:30 +0200
Message-ID: <CAKXHy=eP3hJNe+zc51bC3Bq-JnD8hCXJA_7KzFxmOdxVa3ZAsQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
On Wed, Jul 1, 2015 at 4:25 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Jul 1, 2015 at 4:12 PM, Mike West <mkwst@google.com> wrote:
> > Experimentation locally on internal sites leads me to believe that it's
> not
> > going to be web compatible: I didn't find any Google property that used
> CSP
> > which the new behavior wouldn't break in some way.
>
> How are we going to protect the scenario instead?
>

The other redirect-related changes are sufficient to mitigate the risks (we
no longer consider the path component after a redirect, and we send a `CSP`
header to inform the server that cross-origin redirects might be visible).
`unsafe-redirect` was an opt-out mechanism that changed redirect behavior
in general, but didn't provide any security benefit. If there's desire, we
could make that an opt-in behavior instead, but we'd likely need to invent
some new syntax, and I'd prefer to defer that to CSP3 where I want to
rewrite everything anyway.

-mike
Received on Wednesday, 1 July 2015 14:33:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC