Re: [webappsec] CSP: are blob uri's really just origin='self'? from Daniel Veditz on 2013-09-03 (public-webappsec@w3.org from September 2013)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 03 Sep 2013 14:14:28 -0700
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <52265134.4030001@mozilla.com>

More evidence of the problem. Unless we restrict "*" to mean "same
scheme" or "http/https only" we're going to keep adding exceptions and
getting bit when people invent new schemes. Keep it simple for web
developers:
  - CSP is an HTTP header, "*" means HTTP(s) things
  - anything else must be explicit

-Dan Veditz

On 9/3/2013 1:48 PM, Devdatta Akhawe wrote:
> Should we add filesystem: URIs to that list? I think there was a claimed
> Chrome extensions' CSP bypass due to filesystem: URIs at this year's
> AppSecEU: http://is.gd/mq1GLQ
> 
> -dev
> 
> On 3 September 2013 13:38, Brad Hill <hillbrad@gmail.com
> <mailto:hillbrad@gmail.com>> wrote:
> 
>     We had an action item for some time to clarify this, that we
>     dropped.  I'd propose something like the following:

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Tuesday, 3 September 2013 21:15:01 UTC