- From: Adam Barth <w3c@adambarth.com>
- Date: Sun, 27 Mar 2011 16:48:38 -0700
- To: public-web-security@w3.org
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html says: [[ The script-src directive defines the list of sources that are permitted to load external <script> elements. The origin portion of the src attribute of an external <script> element MUST be present in the source list defined by the script-src directive in order for the script resource to be requested. User-agents MUST NOT request script resources from non-approved sources. ]] I'm having trouble understanding what that text means. What is "the origin portion of the src attribute of an external <script> element"? For example, is <script src="relative-path.js"></script> banned because the src attribute doesn't have an appropriate origin portion? Does "user-agents MUST NOT request script resources from non-approved sources" mean that I'm supposed to enforce these restrictions on each hop of the redirect chain or just for the first request? We should spell out the requirements explicitly because that's a likely area for implementation confusion (as evidenced by lots of historical screw-ups in the area of redirects). IMHO, we should phrase the resource-loading requirements for CSP in terms of HTML5's "fetch" apparatus: http://www.whatwg.org/specs/web-apps/current-work/#fetching-resources For example, that's how CORS specifies how to handle cross-origin XMLHttpRequests: http://www.w3.org/TR/access-control/ Adam
Received on Sunday, 27 March 2011 23:49:42 UTC