W3C home > Mailing lists > Public > public-web-security@w3.org > February 2013

RE: Restricting <base> URLS via CSP

From: Ahamed Nafeez <skepticfx@hotmail.com>
Date: Thu, 28 Feb 2013 01:09:39 +0000
Message-ID: <BAY404-EAS272779E2204A0AE9680048BA2FE0@phx.gbl>
To: "public-web-security@w3.org" <public-web-security@w3.org>, Alex Russell <slightlyoff@google.com>
CC: Adam Barth <abarth@chromium.org>, Mike West <mkwst@google.com>
Great one. It’s a much needed feature to make CSP more effective.

Sent from Windows Mail

From: Alex Russell
Sent: ‎February‎ ‎28‎, ‎2013 ‎5‎:‎24‎ ‎AM
To: public-web-security@w3.org
CC: Adam Barth, Mike West
Subject: Restricting <base> URLS via CSP

Hi all,

After chatting with Adam and Mike, I'd like to propose a new CSP field for setting a restriction on the base URL of a document. Having this provided in a header and/or early in the page provides a bulwark against many of the worst post-CSS HTML injection attacks, and when combined with existing CSP 1.1 directives can deny many of the worst payload smuggling attacks.

Is there appetite in the group to specify this for 1.1?

Received on Thursday, 28 February 2013 07:37:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:20 UTC