- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Tue, 19 Jul 2011 23:26:37 -0700
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
hmm .. I think creating a new keyword for "don't report warnings about
these origins" makes more sense than messing around with the semantics
of the other keywords. Maybe a keyword called no-warn ?
--devdatta
>> modifier = "^" // do not report
>> / "?" // warn only
On 19 July 2011 23:22, Mark Nottingham <mnot@mnot.net> wrote:
>
> On 20/07/2011, at 4:19 PM, Devdatta Akhawe wrote:
>
>>>
>>> something like (using ABNF):
>>>
>>> source = [ modifier ] "self" / scheme ":" host [ ":" port ]
>>> modifier = "^" // do not report
>>> / "?" // warn only
>>>
>>
>> Again, I don't understand.
>>
>> How would this work for your case? Note that the geo fetch is
>> violating BOTH of your origin declarations ('self'/mnot.net and
>> *.static.flickr.com).
>>
>> Seems that the way to make an exception would be to add a new "Don't
>> report violations caused by access to the following origins:" keyword.
>> That seems pretty ugly to me.
>
> I'd declare something like
>
> img-src 'self' *.static.flickr.com ^geo.yahoo.com;
>
> where the last source has the semantic "yes, I know geo.yahoo.com is going to create a violation; don't allow it, but don't report it either."
>
>
>
> --
> Mark Nottingham http://www.mnot.net/
>
>
>
>
Received on Wednesday, 20 July 2011 06:27:24 UTC