W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CSP2: Drop 'unsafe-redirect'.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 2 Jul 2015 11:35:04 +0200
Message-ID: <CADnb78hA3XaqnaRerdN-hpw5ENGTkd4uaL_XPUPnMHMAhAPFnw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
On Thu, Jul 2, 2015 at 10:25 AM, Mike West <mkwst@google.com> wrote:
> No, `unsafe-redirect` does not protect against information leakage, if only
> because a malicious page would simply opt-in. It gives a developer
> marginally more control over the resources her site loads, but I'd put it
> squarely in the nice-to-have category of features.

Is that analysis correct?

Say I host evil.example. I allow images to be loaded from
target.example exclusively through CSP. target.example uses
credentials to redirect loads to username.target.example. Would
evil.example not receive CSP reports with usernames extracted from
target.example?


-- 
https://annevankesteren.nl/
Received on Thursday, 2 July 2015 09:35:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC