W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: Restricting <base> URLS via CSP

From: Mike West <mkwst@google.com>
Date: Mon, 18 Mar 2013 12:15:53 +0100
Message-ID: <CAKXHy=cyiZiuk0oUMcsddv+uwzmFBiowBhDCeKjNU7c5hx4wzg@mail.gmail.com>
To: Alex Russell <slightlyoff@google.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Michal Zalewski <lcamtuf@google.com>, Adam Barth <w3c@adambarth.com>
Thanks for the suggestion, both Alex and Ashar.

I agree that there's some value in a directive like this one, but it's
unclear to me how it should work. In particular:

* '*-src' directives set a list of accepted sources, while 'sandbox'
actually changes a flag on the document. How should base restrictions be
handled? Should 'base-uri http://example.com/' set the protected resource's
base URL, or should it allow the page to set its base URL to '
http://example.com/' if it chooses?

* I'm sympathetic to setting something like "base-url 'self'" by default
whenever a policy is active. I suspect that would have little to no impact
on the web at large, and would kill an attack vector. I'll see what I can
find out about <base> usage in general; in the absence of data, are there
objections to this? It's not exactly consistent with some other decisions
we've made (allowing unlisted items by default, for instance)... if
"whenever a policy is active" is unappealing, would "whenever any
non-sandbox directive is enforced" be better (as I vaguely recall that
being the sticking point)?

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Fri, Mar 1, 2013 at 7:03 PM, Alex Russell <slightlyoff@google.com> wrote:

>
> On Feb 27, 2013 7:28 PM, "Devdatta Akhawe" <dev.akhawe@gmail.com> wrote:
> >
> > > This isn't just about scripts; it affects forms, images, and every
> other
> > > sort of network behavior.
> >
> > My point was that web application authors opt-in to XSS protection
> > only when they specify a script-src. In the absence of script-src, we
> > are in XSS world, not post-xss.
>
> Ah, yes. Apologies for getting your meaning the first time.
>
Received on Monday, 18 March 2013 11:16:43 GMT

This archive was generated by hypermail 2.3.1 : Monday, 18 March 2013 11:16:43 GMT