W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

Re: CSP and object URLs

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 26 Jul 2011 17:19:00 -0700
Message-ID: <4E2F5974.8030101@mozilla.com>
To: mozilla.dev.security@googlegroups.com
CC: Eli Grey <isephr@gmail.com>, mozilla-dev-security@lists.mozilla.org, "public-web-security@w3.org" <public-web-security@w3.org>
On 7/22/11 7:18 PM, Eli Grey wrote:
> CSP needs a way to support object URLs, of which the scheme is
> implementation specific (e.g. moz-filedata:{GUID} in Firefox,
> blob:{origin}{GUID} in WebKit). How might this be accomplished?

This is a better conversation for public-web-security@w3.org where
we're working on standardizing CSP -- added with a CC though this
conversation is likely to fork.

Off the top of my head I think we should treat those as coming from
'self' since the data is ultimately available to the page and under
its control.

If that doesn't work another option is to treat them similarly to
data: urls: block them unless explicitly allowed and let them be
whitelisted by scheme alone.

-Dan Veditz
Received on Wednesday, 27 July 2011 00:19:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 July 2011 00:19:50 GMT