RE: Restricting <base> URLS via CSP from Ahamed Nafeez on 2013-02-28 (public-web-security@w3.org from February 2013)

From: Ahamed Nafeez <skepticfx@hotmail.com>
Date: Thu, 28 Feb 2013 01:09:39 +0000
To: "public-web-security@w3.org" <public-web-security@w3.org>, Alex Russell <slightlyoff@google.com>
CC: Adam Barth <abarth@chromium.org>, Mike West <mkwst@google.com>
Message-ID: <BAY404-EAS272779E2204A0AE9680048BA2FE0@phx.gbl>

Great one. It’s a much needed feature to make CSP more effective.

Sent from Windows Mail

From: Alex Russell
Sent: ‎February‎ ‎28‎, ‎2013 ‎5‎:‎24‎ ‎AM
To: public-web-security@w3.org
CC: Adam Barth, Mike West
Subject: Restricting <base> URLS via CSP

Hi all,

After chatting with Adam and Mike, I'd like to propose a new CSP field for setting a restriction on the base URL of a document. Having this provided in a header and/or early in the page provides a bulwark against many of the worst post-CSS HTML injection attacks, and when combined with existing CSP 1.1 directives can deny many of the worst payload smuggling attacks.

Is there appetite in the group to specify this for 1.1?

Regards

Received on Thursday, 28 February 2013 07:37:52 UTC