- From: Odin Hørthe Omdal <odinho@opera.com>
- Date: Mon, 02 Jul 2012 13:45:38 +0200
- To: public-webappsec@w3.org
On Fri, 22 Jun 2012 11:31:41 +0200, Mike West <mkwst@google.com> wrote: > One of the proposals for CSP 1.1 is additional granularity in source > paths > (http://www.w3.org/Security/wiki/Content_Security_Policy#Proposals_for_Version_1.1). > I think this additional granularity is well worth perusing I think so too. There's many places in CSP that I think it's a bit too granular and rather too complex IMHO, but this case seems a quite common way to give some additional security to smaller sites. In fact, it was also the first thing that came up when I talked with hackers making a small locally hosted image gallery software. You can work around it by having a userfiles domain, but it would complicate the setup procedure immensely. The problem with how the spec is doing things now (throwing away path component) is that sites using CSP (1.0) will no doubt have errors. They'll write script-src: http://my-site.com/js/ and use scripts from js, except for that one time they use one on /my-demo/js.js and it works anyway so they actually don't think about it. So if CSP 1.0 is allowed to live a long time in a browser, the behavior we have now might actually be mandatory for site-compat. -- Odin Hørthe Omdal (Velmont/odinho) · Core, Opera Software, http://opera.com
Received on Monday, 2 July 2012 11:46:16 UTC