W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CSP2: Drop 'unsafe-redirect'.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 1 Jul 2015 18:03:52 +0200
Message-ID: <CADnb78hAdrq4S8CUKhsX6YNKXHKKDH4EbH0SZGQcYsfB6eH4tw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
On Wed, Jul 1, 2015 at 4:32 PM, Mike West <mkwst@google.com> wrote:
> The other redirect-related changes are sufficient to mitigate the risks (we
> no longer consider the path component after a redirect, and we send a `CSP`
> header to inform the server that cross-origin redirects might be visible).

Could you explain how they are visible? You might have done that
already once but I forgot. I should update
https://fetch.spec.whatwg.org/#atomic-http-redirect-handling but I
don't really know how.

Received on Wednesday, 1 July 2015 16:04:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:49 UTC