- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 26 Jul 2011 17:19:00 -0700
- To: mozilla.dev.security@googlegroups.com
- CC: Eli Grey <isephr@gmail.com>, mozilla-dev-security@lists.mozilla.org, "public-web-security@w3.org" <public-web-security@w3.org>
On 7/22/11 7:18 PM, Eli Grey wrote:
> CSP needs a way to support object URLs, of which the scheme is
> implementation specific (e.g. moz-filedata:{GUID} in Firefox,
> blob:{origin}{GUID} in WebKit). How might this be accomplished?
This is a better conversation for public-web-security@w3.org where
we're working on standardizing CSP -- added with a CC though this
conversation is likely to fork.
Off the top of my head I think we should treat those as coming from
'self' since the data is ultimately available to the page and under
its control.
If that doesn't work another option is to treat them similarly to
data: urls: block them unless explicitly allowed and let them be
whitelisted by scheme alone.
-Dan Veditz
Received on Wednesday, 27 July 2011 00:19:49 UTC