W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CSP2: Drop 'unsafe-redirect'.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 2 Jul 2015 11:35:04 +0200
Message-ID: <CADnb78hA3XaqnaRerdN-hpw5ENGTkd4uaL_XPUPnMHMAhAPFnw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
On Thu, Jul 2, 2015 at 10:25 AM, Mike West <mkwst@google.com> wrote:
> No, `unsafe-redirect` does not protect against information leakage, if only
> because a malicious page would simply opt-in. It gives a developer
> marginally more control over the resources her site loads, but I'd put it
> squarely in the nice-to-have category of features.

Is that analysis correct?

Say I host evil.example. I allow images to be loaded from
target.example exclusively through CSP. target.example uses
credentials to redirect loads to username.target.example. Would
evil.example not receive CSP reports with usernames extracted from

Received on Thursday, 2 July 2015 09:35:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:49 UTC