Hi Alex, FYI, I have written a proposal on this list last year after having suggestion from Adam Barth. Here are the references: http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0022.html https://bugs.webkit.org/show_bug.cgi?id=99318 Regards, ashar On Thu, Feb 28, 2013 at 12:53 AM, Alex Russell <slightlyoff@google.com>wrote: > Hi all, > > After chatting with Adam and Mike, I'd like to propose a new CSP field for > setting a restriction on the base URL of a document. Having this provided > in a header and/or early in the page provides a bulwark against many of the > worst post-CSS HTML injection attacks, and when combined with existing CSP > 1.1 directives can deny many of the worst payload smuggling attacks. > > Is there appetite in the group to specify this for 1.1? > > Regards >
Received on Thursday, 28 February 2013 05:35:52 UTC