W3C home > Mailing lists > Public > public-web-security@w3.org > February 2013

Re: Restricting <base> URLS via CSP

From: Ashar Javed <justashar@gmail.com>
Date: Thu, 28 Feb 2013 06:32:17 +0100
Message-ID: <CAD5mSqVJF9V1bHTDZr7=_ikyRiDPbt4upSufc2oWZuN1GH_+sw@mail.gmail.com>
To: Alex Russell <slightlyoff@google.com>
Cc: public-web-security@w3.org, Adam Barth <abarth@chromium.org>, Mike West <mkwst@google.com>
Hi Alex,

FYI, I have written a proposal on this list last year after having
suggestion from Adam Barth. Here are the references:

http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0022.html

https://bugs.webkit.org/show_bug.cgi?id=99318

Regards,

ashar


On Thu, Feb 28, 2013 at 12:53 AM, Alex Russell <slightlyoff@google.com>wrote:

> Hi all,
>
> After chatting with Adam and Mike, I'd like to propose a new CSP field for
> setting a restriction on the base URL of a document. Having this provided
> in a header and/or early in the page provides a bulwark against many of the
> worst post-CSS HTML injection attacks, and when combined with existing CSP
> 1.1 directives can deny many of the worst payload smuggling attacks.
>
> Is there appetite in the group to specify this for 1.1?
>
> Regards
>
Received on Thursday, 28 February 2013 05:35:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 28 February 2013 05:35:53 GMT