W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: CSP 1.1: Paths in source list definitions.

From: Dan Veditz <dveditz@mozilla.com>
Date: Mon, 15 Oct 2012 17:39:57 -0700
Message-ID: <507CACDD.8000402@mozilla.com>
To: Mike West <mkwst@google.com>
CC: Odin HÝrthe Omdal <odinho@opera.com>, Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Tanvi Vyas <tanvi@mozilla.com>
On 10/15/12 7:35 AM, Mike West wrote:
> I think he means the opposite: whitelisting 'example.com/js/thisfile.js
> <http://example.com/js/thisfile.js>' would allow
> 'https://example.com/js/thisfile.js?29', etc. We'd simply ignore the
> query portion of the source expression.

Yes, I think we have to do that. While sites do return different
resources in response to different queries, in many cases the arguments
are not order sensitive or are optional. The next CSP feature request
would be some complex regular expression syntax for matching parts of
the query string -- yuck.

-Dan Veditz
Received on Tuesday, 16 October 2012 00:40:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 16 October 2012 00:40:26 GMT