[webappsec] do we want a way to hash data: and blob: uris? from Brad Hill on 2014-10-28 (public-webappsec@w3.org from October 2014)

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 28 Oct 2014 16:00:27 -0700
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8gdLMkaiqSr-3Y4FeM0e02N6Hg1u6=mznGA+VHYUnKSiA@mail.gmail.com>

Just had a chat with Marcos on how manifests want to use CSP.

It came up that while data;, blob:, etc. are effectively
unsafe-inline, we don't have a way to treat them with hash-source.  If
I want to allow a specific data: uri but not all data: uris, I need to
repeat the whole blob in my CSP.

Is it worthwhile (for v.Next) to specify a way to take the hash of
GUID-type uris?

-Brad

Received on Tuesday, 28 October 2014 23:00:54 UTC