- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 12 Feb 2013 15:28:39 -0800
- To: Neil Matatall <neilm@twitter.com>
- CC: Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2/12/2013 3:00 PM, Neil Matatall wrote: > On Tue, Feb 12, 2013 at 2:41 PM, Adam Barth <w3c@adambarth.com> wrote: >> Is this for an HTTP page? In the first case, you have an extra "www". >> If you want to whitelist subdomains, you'll need to specific >> *.google.com. >> > Yes, http page. > > Hmm even weirder: > > <img src="http://google.com/asdf"> > <img src="https://google.com/asdf"> > > I didn't supply the www :) CSP is specified to operate on "where content is loaded from" not "text found in the document". If you specify a URL with a long redirect chain each of those origins must be whitelisted. This is to stop attacks such as taking advantage of an open redirector on the protected site. Presumably 'self' is allowed, so not blocking redirects amounts to complete negation of CSP on sites with such redirectors, or if any of the other sites you whitelist has one. Also may protect you if you're using some 3rd party resources and that site starts doing something unexpected (maliciously or not). -Dan Veditz
Received on Tuesday, 12 February 2013 23:29:13 UTC