Re: CSP and jsonp callbacks

On 5/30/11 10:37 AM, Eduardo Vela wrote:
> Could it be possible to whitelist specific files, instead of complete
> origins? Maybe even global expressions (e.g.

It's a valid suggestion, left out of the current implementation in
the interests of simplicity and incrementalism. It is easy to add in
the future but hard to take out once supported.

CSP as it stands will work in some situations and maybe not quite as
well in others. Sites that use YouTube and CSP are no worse off than
they already are without CSP, and CSP greatly limits the attack
surface in general.

I'd like to let CSP go forward with the current site-level
whitelisting and collect feedback from sites who have deployed it.
It should become clear whether we need the added feature or not.

In the present we should make sure "host[:port]/" is ignored as
invalid (but not invalidating the entire policy, of course) so we
can use the presence of the '/' to distinguish the two cases in the

> I think forcing the right Content-Type for scripts might be the best
> solution, and maybe a rule to override this behavior, comments?

I supported this, a bit disappointed it has been dropped. It may not
have helped much if people had to override the behavior most of the

-Dan Veditz

Received on Tuesday, 31 May 2011 19:00:39 UTC