W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: script and data uri

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 19 Jul 2012 14:25:29 -0700
Message-ID: <CAJE5ia9zJMr7sV4UCMGPrdVYFT7FKPZhzxOJjVPvn=_CKvKJ7Q@mail.gmail.com>
To: David Bruant <bruant.d@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
There's nothing special about data URLs and CSP.  If you want to whitelist
data URLs, you can include data: as a source:

default-src 'self'; script-src 'self' data:

Note: Whitelisting data: as a source for script will open up your site to

If you want to whitelist data: for WebWorkers, you can do that as follows:

default-src 'self'; connect-src 'self' data:

Note: That doesn't have the same security problems as whitelisting data: as
a source for script.


On Thu, Jul 19, 2012 at 1:35 PM, David Bruant <bruant.d@gmail.com> wrote:

> Hi,
> I was wondering what CSP says about data uri used in as script@src and
> Web Worker source.
> Thanks,
> David
Received on Thursday, 19 July 2012 21:26:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:28 UTC