Re: [CSP3] Allow paths without a domain from Brad Hill on 2014-12-30 (public-webappsec@w3.org from December 2014)

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 30 Dec 2014 19:23:47 +0000
To: Craig Francis <craig@craigfrancis.co.uk>, public-webappsec@w3.org
Message-ID: <CAEeYn8g9bNy4NQ=S=aJmZfY8DXH-MBB-W5DEHmP+yYc+buSTUA@mail.gmail.com>

https://www.w3.org/2011/webappsec/track/issues/73

On Tue Dec 30 2014 at 10:24:36 AM Craig Francis <craig@craigfrancis.co.uk>
wrote:

> Hi,
>
> Would it be possible to update the path matching section:
>
>
> http://w3c.github.io/webappsec/specs/content-security-policy/#source-list-path-patching
>
> So that a path can be specified without a domain, e.g.
>
> Content-Security-Policy: script-src /js/;
>
> This would be a bit more restrictive over just using "self", as a
> malicious JavaScript file could be uploaded via a CMS vulnerability, where
> the /js/ folder might not be writable to, whereas /uploaded-images/ might
> be.
>
> I realise the current domain could be specified, but this would be much
> shorter :-)
>
> Might be worth also noting if relative URLs should be allowed (I'm tempted
> to say no, but thats just because I won't need them).
>
> Craig
>

Received on Tuesday, 30 December 2014 19:24:15 UTC