- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 20 Jul 2011 16:22:51 +1000
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
On 20/07/2011, at 4:19 PM, Devdatta Akhawe wrote:
>>
>> something like (using ABNF):
>>
>> source = [ modifier ] "self" / scheme ":" host [ ":" port ]
>> modifier = "^" // do not report
>> / "?" // warn only
>>
>
> Again, I don't understand.
>
> How would this work for your case? Note that the geo fetch is
> violating BOTH of your origin declarations ('self'/mnot.net and
> *.static.flickr.com).
>
> Seems that the way to make an exception would be to add a new "Don't
> report violations caused by access to the following origins:" keyword.
> That seems pretty ugly to me.
I'd declare something like
img-src 'self' *.static.flickr.com ^geo.yahoo.com;
where the last source has the semantic "yes, I know geo.yahoo.com is going to create a violation; don't allow it, but don't report it either."
--
Mark Nottingham http://www.mnot.net/
Received on Wednesday, 20 July 2011 06:23:21 UTC