W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: CSP 1.1: Paths in source list definitions.

From: Mike West <mkwst@google.com>
Date: Mon, 15 Oct 2012 16:35:36 +0200
Message-ID: <CAKXHy=f1mWrA7RnFJhQR2aMcc1ELqHLSjjmtwNpTkw=Jk6FgfQ@mail.gmail.com>
To: Odin HÝrthe Omdal <odinho@opera.com>
Cc: Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Tanvi Vyas <tanvi@mozilla.com>, dveditz@mozilla.com
On Mon, Oct 15, 2012 at 4:15 PM, Odin HÝrthe Omdal <odinho@opera.com> wrote:

> On Sat, 13 Oct 2012 09:56:35 +0200, Adam Barth <w3c@adambarth.com> wrote:
>
>  One open question is how we would handle query strings. Do we want to
>>> support 'example.com/js/thisfile.js?**id=2<http://example.com/js/thisfile.js?id=2>'?
>>> If so, how would we handle a
>>> request for 'example.com/js/thisfile.js?**extra=param&id=2<http://example.com/js/thisfile.js?extra=param&id=2>'?
>>> Is that a match?
>>> How about 'example.com/js/thisfile.js?**id=2&extra=param<http://example.com/js/thisfile.js?id=2&extra=param>
>>> '?
>>>
>> IMHO, we shouldn't support query strings.  This feature is most useful
>> for restricting to a known-safe directory.
>>
>
> What do you mean? Should not support query strings, as in:
>
>   example.com/js/thisfile.js?id=**2<http://example.com/js/thisfile.js?id=2>
>
> would be blocked, when CSP allows /js/thisfile.js?
>

I think he means the opposite: whitelisting 'example.com/js/thisfile.js'
would allow 'https://example.com/js/thisfile.js?29', etc. We'd simply
ignore the query portion of the source expression. That what I've
experimentally implemented in https://bugs.webkit.org/show_bug.cgi?id=99250,
and it seems like a reasonable solution.

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 MŁnchen, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Monday, 15 October 2012 14:36:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 15 October 2012 14:36:24 GMT