[csp3] CSP vulnerability enabling cross-origin session data exfiltration

• From: Eli Grey <me@eligrey.com>
• Date: Fri, 26 Jan 2018 05:13:22 +0000
• To: public-webappsec@w3.org
• Message-ID: <CAASPBeMmWzHVSHj71g++uSv1Ogv5NxYAJSMB0og5=aEd18Oesw@mail.gmail.com>

I filed an issue for this on the GitHub repo at
https://github.com/w3c/webappsec-csp/issues/289

CSP-allowed URIs should confer trust to all redirected URIs to fix this
vulnerability.

Received on Friday, 26 January 2018 05:14:29 UTC