Re: CSP: origin from a URL from Adam Barth on 2013-06-28 (public-webappsec@w3.org from June 2013)

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 28 Jun 2013 09:37:47 -0700
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAJE5ia-x-H7UENQyaxzheZB6sAKhOR5tVXu2FCcK=RtP87bxOA@mail.gmail.com>

On Fri, Jun 28, 2013 at 12:24 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 6/27/2013 6:41 AM, Anne van Kesteren wrote:
>> If it's just data URLs for which this is a problem, "data:," is the
>> shortest valid data URL I know of. But I think it might be a problem
>> for blob URLs too. We could probably make the URL parser work for
>> "data:" and "blob:". They would not be valid data or blob URLs, but
>> would parse as URLs, if that makes sense.
>
> Pretty sure we decided blob: was covered by 'self' so you shouldn't need
> to specify that one.

Even though blob is covered by 'self', you might still need to include
it in a violation report.  The site doesn't necessarily need to
whitelist 'self'.

Adam

Received on Friday, 28 June 2013 16:38:47 UTC