- From: Alex Russell <slightlyoff@google.com>
- Date: Wed, 27 Feb 2013 23:53:23 +0000
- To: public-web-security@w3.org
- Cc: Adam Barth <abarth@chromium.org>, Mike West <mkwst@google.com>
Received on Wednesday, 27 February 2013 23:53:53 UTC
Hi all, After chatting with Adam and Mike, I'd like to propose a new CSP field for setting a restriction on the base URL of a document. Having this provided in a header and/or early in the page provides a bulwark against many of the worst post-CSS HTML injection attacks, and when combined with existing CSP 1.1 directives can deny many of the worst payload smuggling attacks. Is there appetite in the group to specify this for 1.1? Regards
Received on Wednesday, 27 February 2013 23:53:53 UTC