On 10/22/09 10:31 AM, Mike Ter Louw wrote:
Any ideas for how best to address the redirect problem?
In the existing parts of CSP the restrictions apply to redirects. That is, if you only allow images from foo.com then try to load an image from a redirector on foo.com it will fail if the redirection is to some other site. (This has turned out to be an annoying part of CSP to implement as redirects happen deep in the network library far from the places that have the context to enforce this rule)
Likewise your anti-csrf rules should propagate through redirects for consistency.
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
