W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: Blank blocked-uris

From: Mike West <mkwst@google.com>
Date: Mon, 11 Feb 2013 15:17:01 +0100
Message-ID: <CAKXHy=c+w-5wBqg664+JjUT4xjyTiWiMqmyGH__1kLZWHMZiDQ@mail.gmail.com>
To: Neil Matatall <neilm@twitter.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I took a stab at speccing this in
https://dvcs.w3.org/hg/content-security-policy/rev/001dc8e8bcc3. I'm not
entirely sure that I'm correctly referring to the class of schemes we care
about... I stole "URL scheme with a server-based naming authority" from the
HTML5 spec, which sounded reasonable, but feedback would be appreciated.

-mike

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Tue, Feb 5, 2013 at 5:02 PM, Mike West <mkwst@google.com> wrote:

> This makes sense to me. I'd suggest doing the same for filesystem: and
> blob: URLs.
>
> If there are no objections, I'll add something to the spec.
>
> -mike
>
> --
> Mike West <mkwst@google.com>, Developer Advocate
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
>
> On Tue, Feb 5, 2013 at 4:40 PM, Neil Matatall <neilm@twitter.com> wrote:
>
>> Hello all,
>>
>> I was taking a look at our reports and noticed a significant number of
>> reports without a blocked-uri value. We tracked it down to two
>> (possibly more) culprits:
>>
>> data: uris in images
>> javascript: uris in hrefs
>>
>> I think the protocol would be enough information in this case.
>>
>>
>
Received on Monday, 11 February 2013 14:17:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 11 February 2013 14:17:55 GMT