Re: CSP 1.1: More granular source list definitions.

Note that WebKit only started complying with CSP 1.0's spec on this point
about two weeks ago ( Prior to
that point, it was (silently) erroring off on the whole source.

Given that history, we might have success at preparing the way for
granularity in 1.1 by adding a warning to 1.0 implementations now, noting
that the path component is being ignored. That would be lighter-weight than
a version component.


Mike West <>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 MŁnchen, Germany
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

On Mon, Jul 2, 2012 at 6:45 AM, Odin HÝrthe Omdal <> wrote:

> On Fri, 22 Jun 2012 11:31:41 +0200, Mike West <> wrote:
>> One of the proposals for CSP 1.1 is additional granularity in source
>> paths (**wiki/Content_Security_Policy#**
>> Proposals_for_Version_1.1<>).
>> I think this additional granularity is well worth perusing
> I think so too. There's many places in CSP that I think it's a bit too
> granular and rather too complex IMHO, but this case seems a quite common
> way to give some additional security to smaller sites.
> In fact, it was also the first thing that came up when I talked with
> hackers making a small locally hosted image gallery software.
> You can work around it by having a userfiles domain, but it would
> complicate the setup procedure immensely.
> The problem with how the spec is doing things now (throwing away path
> component) is that sites using CSP (1.0) will no doubt have errors. They'll
> write script-src: and use scripts from js, except
> for that one time they use one on /my-demo/js.js and it works anyway so
> they actually don't think about it.
> So if CSP 1.0 is allowed to live a long time in a browser, the behavior we
> have now might actually be mandatory for site-compat.
> --
> Odin HÝrthe Omdal (Velmont/odinho) ∑ Core, Opera Software,

Received on Tuesday, 3 July 2012 19:24:01 UTC