W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: No scheme in policy: Errors for either scheme

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 12 Feb 2013 15:28:39 -0800
Message-ID: <511AD027.6000604@mozilla.com>
To: Neil Matatall <neilm@twitter.com>
CC: Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2/12/2013 3:00 PM, Neil Matatall wrote:
> On Tue, Feb 12, 2013 at 2:41 PM, Adam Barth <w3c@adambarth.com> wrote:
>> Is this for an HTTP page?  In the first case, you have an extra "www".
>>   If you want to whitelist subdomains, you'll need to specific
>> *.google.com.
> Yes, http page.
> Hmm even weirder:
> <img src="http://google.com/asdf">
> <img src="https://google.com/asdf">
> I didn't supply the www :)

CSP is specified to operate on "where content is loaded from" not "text 
found in the document". If you specify a URL with a long redirect chain 
each of those origins must be whitelisted.

This is to stop attacks such as taking advantage of an open redirector 
on the protected site. Presumably 'self' is allowed, so not blocking 
redirects amounts to complete negation of CSP on sites with such 
redirectors, or if any of the other sites you whitelist has one.

Also may protect you if you're using some 3rd party resources and that 
site starts doing something unexpected (maliciously or not).

-Dan Veditz
Received on Tuesday, 12 February 2013 23:29:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:31 UTC