Re: CSP, Blob Workers, and Firefox

Thanks for clearing that up.

Paul F

> On Apr 23, 2014, at 7:31 AM, Mike West <mkwst@google.com> wrote:
> 
> Brad's summary is correct: see http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#h_note_1 in the 1.1 spec, as well as the detailed algorithm description preceeding that note.
> 
> I need to change Blink's implementation to match the 1.1 spec. That work isn't done yet.
> 
> -mike
> 
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> 
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
> 
> 
>> On Sun, Apr 20, 2014 at 6:24 AM, Hill, Brad <bhill@paypal.com> wrote:
>> We've clarified this in the 1.1 spec, but I think the behavior is different between Chrome and Firefox at the moment.  Chrome uses 'self', but Firefox requires the "blob:" scheme to be listed explicitly.
>> 
>> The latter behavior is what is specified in the 1.1 spec, with the further refinement that "blob:" will never match a "*" policy, and must be explicitly listed.  This is because blob is really more like 'unsafe-eval' than it is like 'self'.
>> 
>> -Brad Hill
>> 
>> On Apr 19, 2014, at 6:58 AM, Paul Frazee <pfrazee@gmail.com> wrote:
>> 
>> > I've got an edge case that the Firefox guys see as undefined in the CSP spec.
>> >
>> > Bug report here: https://bugzilla.mozilla.org/show_bug.cgi?id=964276
>> >
>> > Shouldn't blob URIs take the origin that they've been created within? If so, script-src 'self' ought to allow the Worker to load.
>> >
>> > Paul F
>