On Wed, Jul 1, 2015 at 6:03 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Wed, Jul 1, 2015 at 4:32 PM, Mike West <mkwst@google.com> wrote:
> > The other redirect-related changes are sufficient to mitigate the risks
> (we
> > no longer consider the path component after a redirect, and we send a
> `CSP`
> > header to inform the server that cross-origin redirects might be
> visible).
>
> Could you explain how they are visible? You might have done that
> already once but I forgot. I should update
> https://fetch.spec.whatwg.org/#atomic-http-redirect-handling but I
> don't really know how.
>
"Visible" insofar as `img-src example.com` would trigger a violation if `
https://example.com/totally-sekrit-redirect` redirected to `
https://sekrit-target.example.com/`.
Violation reports allow you to detect the target origin (but not the target
path).
-mike