W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

script-src requirements

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 27 Mar 2011 16:48:38 -0700
Message-ID: <AANLkTin8NdnuW0nTvuxugaHGsuQgAY9Ot8fXv3pT-oJW@mail.gmail.com>
To: public-web-security@w3.org
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
says:

[[
The script-src directive defines the list of sources that are
permitted to load external <script> elements.

The origin portion of the src attribute of an external <script>
element MUST be present in the source list defined by the script-src
directive in order for the script resource to be requested.

User-agents MUST NOT request script resources from non-approved sources.
]]

I'm having trouble understanding what that text means.  What is "the
origin portion of the src attribute of an external <script> element"?
For example, is <script src="relative-path.js"></script> banned
because the src attribute doesn't have an appropriate origin portion?

Does "user-agents MUST NOT request script resources from non-approved
sources" mean that I'm supposed to enforce these restrictions on each
hop of the redirect chain or just for the first request?  We should
spell out the requirements explicitly because that's a likely area for
implementation confusion (as evidenced by lots of historical screw-ups
in the area of redirects).

IMHO, we should phrase the resource-loading requirements for CSP in
terms of HTML5's "fetch" apparatus:

http://www.whatwg.org/specs/web-apps/current-work/#fetching-resources

For example, that's how CORS specifies how to handle cross-origin
XMLHttpRequests:

http://www.w3.org/TR/access-control/

Adam
Received on Sunday, 27 March 2011 23:49:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 27 March 2011 23:49:43 GMT