- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 2 Jul 2015 11:35:04 +0200
- To: Mike West <mkwst@google.com>
- Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
On Thu, Jul 2, 2015 at 10:25 AM, Mike West <mkwst@google.com> wrote: > No, `unsafe-redirect` does not protect against information leakage, if only > because a malicious page would simply opt-in. It gives a developer > marginally more control over the resources her site loads, but I'd put it > squarely in the nice-to-have category of features. Is that analysis correct? Say I host evil.example. I allow images to be loaded from target.example exclusively through CSP. target.example uses credentials to redirect loads to username.target.example. Would evil.example not receive CSP reports with usernames extracted from target.example? -- https://annevankesteren.nl/
Received on Thursday, 2 July 2015 09:35:31 UTC