W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2018

[csp3] CSP vulnerability enabling cross-origin session data exfiltration

From: Eli Grey <me@eligrey.com>
Date: Fri, 26 Jan 2018 05:13:22 +0000
Message-ID: <CAASPBeMmWzHVSHj71g++uSv1Ogv5NxYAJSMB0og5=aEd18Oesw@mail.gmail.com>
To: public-webappsec@w3.org
I filed an issue for this on the GitHub repo at
https://github.com/w3c/webappsec-csp/issues/289

CSP-allowed URIs should confer trust to all redirected URIs to fix this
vulnerability.
Received on Friday, 26 January 2018 05:14:29 UTC

This archive was generated by hypermail 2.3.1 : Friday, 26 January 2018 05:14:29 UTC