W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: Blank blocked-uris

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 5 Mar 2013 16:48:43 -0800
Message-ID: <CAJE5ia-4u_r2X6-xmwN6iwH+46Tcq31CwiFkg_eY8uV8CRnQPA@mail.gmail.com>
To: Neil Matatall <neilm@twitter.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I'm not sure if you got an answer to your question, so I'll attempt one now.

If I was using data URLs in images on my site, I would feel
comfortable whitelisting img-src data:.  If I wasn't using data URLs
in images on my site, I would be (slightly) sad if the browser
automatically whitelisted them for me because it's attack surface I
don't need.

At a more meta level, CSP is already pretty complicated to understand.
 We might be able to get away with whitelisting data URLs for images,
but doing that would add more complexity to the feature because it
would introduce differences between, say, img-src and font-src.  IMHO,
we're better off with a policy language that's simpler even if it
requires that folks who are using data URLs need to whitelist them
themselves.

Adam


On Tue, Feb 5, 2013 at 12:04 PM, Neil Matatall <neilm@twitter.com> wrote:
> Somewhat related, whitelist img-src data: uris by default? Are there
> any attacks on this?
>
> On Tue, Feb 5, 2013 at 8:02 AM, Mike West <mkwst@google.com> wrote:
>> This makes sense to me. I'd suggest doing the same for filesystem: and blob:
>> URLs.
>>
>> If there are no objections, I'll add something to the spec.
>>
>> -mike
>>
>> --
>> Mike West <mkwst@google.com>, Developer Advocate
>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
>> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>>
>>
>> On Tue, Feb 5, 2013 at 4:40 PM, Neil Matatall <neilm@twitter.com> wrote:
>>>
>>> Hello all,
>>>
>>> I was taking a look at our reports and noticed a significant number of
>>> reports without a blocked-uri value. We tracked it down to two
>>> (possibly more) culprits:
>>>
>>> data: uris in images
>>> javascript: uris in hrefs
>>>
>>> I think the protocol would be enough information in this case.
>>>
>>
>
Received on Wednesday, 6 March 2013 00:49:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC