Re: Restricting <base> URLS via CSP

Hi Alex,

FYI, I have written a proposal on this list last year after having
suggestion from Adam Barth. Here are the references:

http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0022.html

https://bugs.webkit.org/show_bug.cgi?id=99318

Regards,

ashar


On Thu, Feb 28, 2013 at 12:53 AM, Alex Russell <slightlyoff@google.com>wrote:

> Hi all,
>
> After chatting with Adam and Mike, I'd like to propose a new CSP field for
> setting a restriction on the base URL of a document. Having this provided
> in a header and/or early in the page provides a bulwark against many of the
> worst post-CSS HTML injection attacks, and when combined with existing CSP
> 1.1 directives can deny many of the worst payload smuggling attacks.
>
> Is there appetite in the group to specify this for 1.1?
>
> Regards
>

Received on Thursday, 28 February 2013 05:35:52 UTC