- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 27 Apr 2013 07:08:56 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Web Application Security Working Group <public-webappsec@w3.org>
On Fri, Apr 26, 2013 at 3:07 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Thu, Apr 25, 2013 at 8:25 PM, Web Application Security Working > Group Issue Tracker <sysbot+tracker@w3.org> wrote: >> If breakage is minimal, setting CSP at all might imply that <base> is ignored unless whitelisted in the policy. > > In XML (and in HTML via script), xml:base can affect a bunch of URLs > as well (not quite as much as <base> though). Should CSP take that > into account? Presumably we'll need to restrict it with base-uri as well. Adam
Received on Saturday, 27 April 2013 14:09:58 UTC