W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: script and data uri

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 19 Jul 2012 14:25:29 -0700
Message-ID: <CAJE5ia9zJMr7sV4UCMGPrdVYFT7FKPZhzxOJjVPvn=_CKvKJ7Q@mail.gmail.com>
To: David Bruant <bruant.d@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
There's nothing special about data URLs and CSP.  If you want to whitelist
data URLs, you can include data: as a source:

default-src 'self'; script-src 'self' data:

Note: Whitelisting data: as a source for script will open up your site to
XSS.

If you want to whitelist data: for WebWorkers, you can do that as follows:

default-src 'self'; connect-src 'self' data:

Note: That doesn't have the same security problems as whitelisting data: as
a source for script.

Adam


On Thu, Jul 19, 2012 at 1:35 PM, David Bruant <bruant.d@gmail.com> wrote:

> Hi,
>
> I was wondering what CSP says about data uri used in as script@src and
> Web Worker source.
>
> Thanks,
>
> David
>
>
Received on Thursday, 19 July 2012 21:26:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 21:26:29 GMT