Re: script and data uri from Adam Barth on 2012-07-19 (public-webappsec@w3.org from July 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 19 Jul 2012 14:25:29 -0700
To: David Bruant <bruant.d@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAJE5ia9zJMr7sV4UCMGPrdVYFT7FKPZhzxOJjVPvn=_CKvKJ7Q@mail.gmail.com>

There's nothing special about data URLs and CSP.  If you want to whitelist
data URLs, you can include data: as a source:

default-src 'self'; script-src 'self' data:

Note: Whitelisting data: as a source for script will open up your site to
XSS.

If you want to whitelist data: for WebWorkers, you can do that as follows:

default-src 'self'; connect-src 'self' data:

Note: That doesn't have the same security problems as whitelisting data: as
a source for script.

Adam

On Thu, Jul 19, 2012 at 1:35 PM, David Bruant <bruant.d@gmail.com> wrote:

> Hi,
>
> I was wondering what CSP says about data uri used in as script@src and
> Web Worker source.
>
> Thanks,
>
> David
>
>

Received on Thursday, 19 July 2012 21:26:29 UTC