W3C home > Mailing lists > Public > public-web-security@w3.org > September 2011

Re: lcamtuf on the subtle/deadly problem with CSP

From: John Wilander <john.wilander@owasp.org>
Date: Thu, 1 Sep 2011 08:02:47 +0200
Message-Id: <9E71ABF6-1FE3-49A4-9403-F4F45E14479E@owasp.org>
Cc: "Hill, Brad" <bhill@paypal-inc.com>, Daniel Veditz <dveditz@mozilla.com>, Adam Barth <w3c@adambarth.com>, "sird@rckc.at" <sird@rckc.at>, "public-web-security@w3.org" <public-web-security@w3.org>
To: Michal Zalewski <lcamtuf@coredump.cx>
How about a 'static' directive? With it no domains or paths have to be specified, only the static references available at initial page load will be accepted.

A lot of libs etc rely on dynamic loading so maybe it won't be usable in practice. I'm just thinking of Michal's idea to reuse the full paths already there and still having working HTML in non-CSP browsers (Daniel's point).

   Regards, John

-- 
My music http://www.johnwilander.com
Twitter https://twitter.com/johnwilander
CV or Résumé http://johnwilander.se

1 sep 2011 kl. 06:53 skrev Michal Zalewski <lcamtuf@coredump.cx>:

>> The JSONP issue is one I've heard from multiple people, though, including CSP early adopters.   Is it time to standardize a safer way to use JSONP?
> 
> Possibly, but what effect would it realistically have at this point?
> 
> /mz
> 
Received on Thursday, 1 September 2011 06:03:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 1 September 2011 06:03:30 GMT