W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

Re: Using CSP

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 19 Jul 2011 23:26:37 -0700
Message-ID: <CAPfop_1g6RkwrudjuV0cufOgnHT1gR=aGudrcC+t9obH0M8xqg@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
hmm .. I think creating a new keyword for "don't report warnings about
these origins" makes more sense than messing around with the semantics
of the other keywords. Maybe a keyword called no-warn ?

--devdatta



>>  modifier = "^" // do not report
>>                  / "?"  // warn only


On 19 July 2011 23:22, Mark Nottingham <mnot@mnot.net> wrote:
>
> On 20/07/2011, at 4:19 PM, Devdatta Akhawe wrote:
>
>>>
>>> something like (using ABNF):
>>>
>>>  source = [ modifier ]  "self" / scheme ":" host  [ ":" port ]
>>>  modifier = "^" // do not report
>>>                  / "?"  // warn only
>>>
>>
>> Again, I don't understand.
>>
>> How would this work for your case? Note that the geo fetch is
>> violating BOTH of your origin declarations ('self'/mnot.net and
>> *.static.flickr.com).
>>
>> Seems that the way to make an exception would be to add a new "Don't
>> report violations caused by access to the following origins:" keyword.
>> That seems pretty ugly to me.
>
> I'd declare something like
>
>  img-src 'self' *.static.flickr.com ^geo.yahoo.com;
>
> where the last source has the semantic "yes, I know geo.yahoo.com is going to create a violation; don't allow it, but don't report it either."
>
>
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>
Received on Wednesday, 20 July 2011 06:27:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 20 July 2011 06:27:26 GMT