W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

Re: Using CSP

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 19 Jul 2011 23:19:43 -0700
Message-ID: <CAPfop_2bcpWR4=CrHKpWtJZiDYiGSn_H7JAqwLgPFyz1ONiKbg@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
>
> something like (using ABNF):
>
>  source = [ modifier ]  "self" / scheme ":" host  [ ":" port ]
>  modifier = "^" // do not report
>                  / "?"  // warn only
>

Again, I don't understand.

How would this work for your case? Note that the geo fetch is
violating BOTH of your origin declarations ('self'/mnot.net and
*.static.flickr.com).

Seems that the way to make an exception would be to add a new "Don't
report violations caused by access to the following origins:" keyword.
That seems pretty ugly to me.

-devdatta

> etc.
>
>
>>> - I tried adding a X-WebKit-CSP header with the same policy on the front page, but Chrome behaved differently; e.g., it didn't want to load a local .js, even though that's allowed by the policy.
>>
>> If you send me a reduced test case of the issue you're running into,
>> I'd be happy to fix it.
>
> Will see what I can do.
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>
>
Received on Wednesday, 20 July 2011 06:20:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 20 July 2011 06:20:33 GMT