W3C home > Mailing lists > Public > public-web-security@w3.org > February 2013

Re: Restricting <base> URLS via CSP

From: Ashar Javed <justashar@gmail.com>
Date: Thu, 28 Feb 2013 06:32:17 +0100
Message-ID: <CAD5mSqVJF9V1bHTDZr7=_ikyRiDPbt4upSufc2oWZuN1GH_+sw@mail.gmail.com>
To: Alex Russell <slightlyoff@google.com>
Cc: public-web-security@w3.org, Adam Barth <abarth@chromium.org>, Mike West <mkwst@google.com>
Hi Alex,

FYI, I have written a proposal on this list last year after having
suggestion from Adam Barth. Here are the references:





On Thu, Feb 28, 2013 at 12:53 AM, Alex Russell <slightlyoff@google.com>wrote:

> Hi all,
> After chatting with Adam and Mike, I'd like to propose a new CSP field for
> setting a restriction on the base URL of a document. Having this provided
> in a header and/or early in the page provides a bulwark against many of the
> worst post-CSS HTML injection attacks, and when combined with existing CSP
> 1.1 directives can deny many of the worst payload smuggling attacks.
> Is there appetite in the group to specify this for 1.1?
> Regards
Received on Thursday, 28 February 2013 05:35:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:20 UTC