W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: CSP 1.1: More granular source list definitions.

From: Odin Hørthe Omdal <odinho@opera.com>
Date: Mon, 02 Jul 2012 13:45:38 +0200
To: public-webappsec@w3.org
Message-ID: <op.wgthmcak49xobu@odinho-fido.oslo.osa>
On Fri, 22 Jun 2012 11:31:41 +0200, Mike West <mkwst@google.com> wrote:
> One of the proposals for CSP 1.1 is additional granularity in source  
> paths  
> (http://www.w3.org/Security/wiki/Content_Security_Policy#Proposals_for_Version_1.1).  
> I think this additional granularity is well worth perusing

I think so too. There's many places in CSP that I think it's a bit too  
granular and rather too complex IMHO, but this case seems a quite common  
way to give some additional security to smaller sites.

In fact, it was also the first thing that came up when I talked with  
hackers making a small locally hosted image gallery software.

You can work around it by having a userfiles domain, but it would  
complicate the setup procedure immensely.



The problem with how the spec is doing things now (throwing away path  
component) is that sites using CSP (1.0) will no doubt have errors.  
They'll write script-src: http://my-site.com/js/ and use scripts from js,  
except for that one time they use one on /my-demo/js.js and it works  
anyway so they actually don't think about it.

So if CSP 1.0 is allowed to live a long time in a browser, the behavior we  
have now might actually be mandatory for site-compat.

-- 
Odin Hørthe Omdal (Velmont/odinho) · Core, Opera Software, http://opera.com
Received on Monday, 2 July 2012 11:46:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 2 July 2012 11:46:16 GMT