Re: Remove paths from CSP? from Mike West on 2014-02-12 (public-webappsec@w3.org from February 2014)

From: Mike West <mkwst@google.com>
Date: Wed, 12 Feb 2014 13:21:20 +0100
To: Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=ek3BgZS3ibA35JqE8ztd67y1Ww9M-vS1+5JoRJEoeLaQ@mail.gmail.com>

+public-webappsec for comment.

On Wed, Feb 12, 2014 at 12:46 PM, Egor Homakov <homakov@gmail.com> wrote:

> No, auto-approving will only work for /specified_paths.
> E.g. even if there's a redirect /r/csp you won't be able to include it as
> a script, since only /jquery.js is allowed. There should be no
> auto-approving for wild-card whitelists with unspecified paths, for sure.
> I don't see any new threats coming from this feature.
>

Hrm. Interesting approach.

So if your source expression contains a path, then any redirects under that
path are accepted? I suppose that lowers the risk. It certainly increases
complexity (both implementation and understanding), but that might be
workable.

-mike

Received on Wednesday, 12 February 2014 12:22:09 UTC