W3C home > Mailing lists > Public > public-web-security@w3.org > February 2013

Restricting <base> URLS via CSP

From: Alex Russell <slightlyoff@google.com>
Date: Wed, 27 Feb 2013 23:53:23 +0000
Message-ID: <CANr5HFU58LbgonhUG2nYiBsxYyiS_4fvAcQMcX9LS09wgZYfhg@mail.gmail.com>
To: public-web-security@w3.org
Cc: Adam Barth <abarth@chromium.org>, Mike West <mkwst@google.com>
Hi all,

After chatting with Adam and Mike, I'd like to propose a new CSP field for
setting a restriction on the base URL of a document. Having this provided
in a header and/or early in the page provides a bulwark against many of the
worst post-CSS HTML injection attacks, and when combined with existing CSP
1.1 directives can deny many of the worst payload smuggling attacks.

Is there appetite in the group to specify this for 1.1?

Regards
Received on Wednesday, 27 February 2013 23:53:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 February 2013 23:53:53 GMT