W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

[CSP3] Allow paths without a domain

From: Craig Francis <craig@craigfrancis.co.uk>
Date: Tue, 30 Dec 2014 18:22:46 +0000
Message-Id: <EC93C792-986F-4C33-A000-52E40CA48A80@craigfrancis.co.uk>
To: public-webappsec@w3.org
Hi,

Would it be possible to update the path matching section:

http://w3c.github.io/webappsec/specs/content-security-policy/#source-list-path-patching

So that a path can be specified without a domain, e.g.

	Content-Security-Policy: script-src /js/;

This would be a bit more restrictive over just using "self", as a malicious JavaScript file could be uploaded via a CMS vulnerability, where the /js/ folder might not be writable to, whereas /uploaded-images/ might be.

I realise the current domain could be specified, but this would be much shorter :-)

Might be worth also noting if relative URLs should be allowed (I'm tempted to say no, but thats just because I won't need them).

Craig
Received on Tuesday, 30 December 2014 18:23:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC