Re: CSP2: Drop 'unsafe-redirect'. from Anne van Kesteren on 2015-07-01 (public-webappsec@w3.org from July 2015)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 1 Jul 2015 18:03:52 +0200
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
Message-ID: <CADnb78hAdrq4S8CUKhsX6YNKXHKKDH4EbH0SZGQcYsfB6eH4tw@mail.gmail.com>

On Wed, Jul 1, 2015 at 4:32 PM, Mike West <mkwst@google.com> wrote:
> The other redirect-related changes are sufficient to mitigate the risks (we
> no longer consider the path component after a redirect, and we send a `CSP`
> header to inform the server that cross-origin redirects might be visible).

Could you explain how they are visible? You might have done that
already once but I forgot. I should update
https://fetch.spec.whatwg.org/#atomic-http-redirect-handling but I
don't really know how.

-- 
https://annevankesteren.nl/

Received on Wednesday, 1 July 2015 16:04:16 UTC