W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

'none' in a source list.

From: Mike West <mkwst@google.com>
Date: Mon, 7 Jan 2013 18:59:49 +0100
Message-ID: <CAKXHy=etx4L-KV5tvOSCTrQEQGVp28S5rSOrK+WcSVTNA5cjLg@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Alex Russell <slightlyoff@google.com>
Alex Russell brought up an interesting case off-list that I think is
currently under-specified: what do we do when 'none' is included in a
source list?

Currently, we specify "If source list (with leading and trailing
whitespace stripped) is a case insensitive match for the string 'none'
(including the quotation marks), return the empty set." I don't think
we say anything about a hypothetical `script-src 'none'
https://example.com/` or `script-src https://example.com 'none'
https://example.net`.

Alex's suggestion, which I think makes sense, is to explicitly treat
'none' in a source list as a noop. If we think of source lists as
strictly additive, then adding 'none' to the whitelist should have no
effect.

...

Actually, now that I'm typing this, I see that that's more or less
what we do in 3.2.2.1 #3: 'none' doesn't match the source-list
grammar, so it's not included in the list, but simply ignored.

That doesn't match WebKit's implementation, however, so I think it's
worth making sure that we agree that it's the right behavior before I
poke at http://trac.webkit.org/browser/trunk/Source/WebCore/page/ContentSecurityPolicy.cpp#L360

Thanks!

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Monday, 7 January 2013 18:00:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 January 2013 18:00:42 GMT