W3C home > Mailing lists > Public > public-web-security@w3.org > February 2013

RE: Restricting <base> URLS via CSP

From: Ahamed Nafeez <skepticfx@hotmail.com>
Date: Thu, 28 Feb 2013 01:09:39 +0000
Message-ID: <BAY404-EAS272779E2204A0AE9680048BA2FE0@phx.gbl>
To: "public-web-security@w3.org" <public-web-security@w3.org>, Alex Russell <slightlyoff@google.com>
CC: Adam Barth <abarth@chromium.org>, Mike West <mkwst@google.com>
Great one. It’s a much needed feature to make CSP more effective.



Sent from Windows Mail


From: Alex Russell
Sent: ‎February‎ ‎28‎, ‎2013 ‎5‎:‎24‎ ‎AM
To: public-web-security@w3.org
CC: Adam Barth, Mike West
Subject: Restricting <base> URLS via CSP


Hi all,



After chatting with Adam and Mike, I'd like to propose a new CSP field for setting a restriction on the base URL of a document. Having this provided in a header and/or early in the page provides a bulwark against many of the worst post-CSS HTML injection attacks, and when combined with existing CSP 1.1 directives can deny many of the worst payload smuggling attacks.




Is there appetite in the group to specify this for 1.1?




Regards
Received on Thursday, 28 February 2013 07:37:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 28 February 2013 07:37:53 GMT