Re: CSP2: Drop 'unsafe-redirect'. from Mike West on 2015-07-01 (public-webappsec@w3.org from July 2015)

From: Mike West <mkwst@google.com>
Date: Wed, 1 Jul 2015 18:06:45 +0200
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
Message-ID: <CAKXHy=fXdb7_DngCtMHiiANaWDAu15npSQf9BZpz2WZeawCs1A@mail.gmail.com>

On Wed, Jul 1, 2015 at 6:03 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Jul 1, 2015 at 4:32 PM, Mike West <mkwst@google.com> wrote:
> > The other redirect-related changes are sufficient to mitigate the risks
> (we
> > no longer consider the path component after a redirect, and we send a
> `CSP`
> > header to inform the server that cross-origin redirects might be
> visible).
>
> Could you explain how they are visible? You might have done that
> already once but I forgot. I should update
> https://fetch.spec.whatwg.org/#atomic-http-redirect-handling but I
> don't really know how.
>

"Visible" insofar as `img-src example.com` would trigger a violation if `
https://example.com/totally-sekrit-redirect` redirected to `
https://sekrit-target.example.com/`.

Violation reports allow you to detect the target origin (but not the target
path).

-mike

Received on Wednesday, 1 July 2015 16:07:34 UTC