W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

CSP interaction with about:blank and document.open

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 24 Mar 2011 16:26:01 -0700
Message-ID: <AANLkTimZ8Dx7fwxW0gSnScZeChhp-7pXo8=NUNxEpbVu@mail.gmail.com>
To: public-web-security@w3.org
Sayeth CSP:

[[
If a scheme is not specified as part of the source expression, a
user-agent MUST use the same scheme as the protected document.
]]

Which scheme, precisely, should we use?  For example, suppose we have
an about:blank document that (somehow) acquires a CSP policy.  Should
we use "about" as the default scheme?

Suppose we have an about:blank iframe inside a document with a CSP
policy.  Should the document inside the iframe be bound by the CSP
policy of the paper frame?  (Same question for data URLs.)

Recommendation:

1) We should incorporate the CSP policy for a document into the
security origin state for the document, just as HTML5 does for
iframe@sandbox.  That means the CSP policy will inherit although with
the rest of the document's security context (e.g., origin and sandbox
flags).

2) We should grab the scheme from the origin of the document.  If the
document has a security origin that lacks a scheme (e.g., because it's
been sandboxed), then we ignore source values without an explicit
scheme (aka, no soup for you).

Thoughts?
Adam
Received on Thursday, 24 March 2011 23:27:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 24 March 2011 23:27:05 GMT