Re: CSP2: Drop 'unsafe-redirect'.

On Wed, Jul 1, 2015 at 4:25 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Jul 1, 2015 at 4:12 PM, Mike West <mkwst@google.com> wrote:
> > Experimentation locally on internal sites leads me to believe that it's
> not
> > going to be web compatible: I didn't find any Google property that used
> CSP
> > which the new behavior wouldn't break in some way.
>
> How are we going to protect the scenario instead?
>

The other redirect-related changes are sufficient to mitigate the risks (we
no longer consider the path component after a redirect, and we send a `CSP`
header to inform the server that cross-origin redirects might be visible).
`unsafe-redirect` was an opt-out mechanism that changed redirect behavior
in general, but didn't provide any security benefit. If there's desire, we
could make that an opt-in behavior instead, but we'd likely need to invent
some new syntax, and I'd prefer to defer that to CSP3 where I want to
rewrite everything anyway.

-mike

Received on Wednesday, 1 July 2015 14:33:18 UTC