W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

Re: Using CSP

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 20 Jul 2011 16:22:51 +1000
Cc: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
Message-Id: <104ABB33-AA52-4DE9-BE1B-8C1C4F9E42E1@mnot.net>
To: Devdatta Akhawe <dev.akhawe@gmail.com>

On 20/07/2011, at 4:19 PM, Devdatta Akhawe wrote:

>> 
>> something like (using ABNF):
>> 
>>  source = [ modifier ]  "self" / scheme ":" host  [ ":" port ]
>>  modifier = "^" // do not report
>>                  / "?"  // warn only
>> 
> 
> Again, I don't understand.
> 
> How would this work for your case? Note that the geo fetch is
> violating BOTH of your origin declarations ('self'/mnot.net and
> *.static.flickr.com).
> 
> Seems that the way to make an exception would be to add a new "Don't
> report violations caused by access to the following origins:" keyword.
> That seems pretty ugly to me.

I'd declare something like

  img-src 'self' *.static.flickr.com ^geo.yahoo.com;

where the last source has the semantic "yes, I know geo.yahoo.com is going to create a violation; don't allow it, but don't report it either."



--
Mark Nottingham   http://www.mnot.net/
Received on Wednesday, 20 July 2011 06:23:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 20 July 2011 06:23:21 GMT