W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: script-src requirements

From: Brandon Sterne <bsterne@mozilla.com>
Date: Mon, 28 Mar 2011 13:24:31 -0700
Message-ID: <4D90EE7F.1050506@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
On 03/27/2011 05:04 PM, Adam Barth wrote:
> On Sun, Mar 27, 2011 at 4:48 PM, Adam Barth <w3c@adambarth.com> wrote:
>> Does "user-agents MUST NOT request script resources from non-approved
>> sources" mean that I'm supposed to enforce these restrictions on each
>> hop of the redirect chain or just for the first request?  We should
>> spell out the requirements explicitly because that's a likely area for
>> implementation confusion (as evidenced by lots of historical screw-ups
>> in the area of redirects).
> 
> I found this text at the bottom of the spec:
> 
> [[
> For any protected document, when a request for a sub-document resource
> is redirected to another location, whether temporary or permanent, all
> locations in the resource's redirect chain, including the initial
> location and all subsequent redirected locations, must be permitted by
> the protected document's security policy in order for the sub-document
> resource to be allowed to load. If any step in the redirect process
> violates the protected document's security policy, the request should
> be terminated immediately and the load canceled.
> ]]
> 
> It would be helpful if there was some connection between the
> requirements for the directives and this text.  For example, you could
> define earlier in the spec what it means to restrict a resource load
> (and have some text like the above explaining what that means for
> redirects) and then when describing the directives, you can refer to
> the defined term.
> 
> Adam

I agree and I've also created a TODO item in my issue tracker to more
directly tie in the redirect-handling language with resource loading.

Cheers,
Brandon
Received on Monday, 28 March 2011 20:22:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 28 March 2011 20:23:30 GMT