W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: webappsec-ISSUE-48 (base uri): injection of a <base> tag to change effective location of relative resources [CSP 1.1]

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 27 Apr 2013 07:08:56 -0700
Message-ID: <CAJE5ia_1E+d_t-qCDkRNmA5+5M8KHb4o7G33_k07TLmUYUVndA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Web Application Security Working Group <public-webappsec@w3.org>
On Fri, Apr 26, 2013 at 3:07 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, Apr 25, 2013 at 8:25 PM, Web Application Security Working
> Group Issue Tracker <sysbot+tracker@w3.org> wrote:
>> If breakage is minimal, setting CSP at all might imply that <base> is ignored unless whitelisted in the policy.
>
> In XML (and in HTML via script), xml:base can affect a bunch of URLs
> as well (not quite as much as <base> though). Should CSP take that
> into account?

Presumably we'll need to restrict it with base-uri as well.

Adam
Received on Saturday, 27 April 2013 14:09:58 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC