Re: Restricting <base> URLS via CSP from Adam Barth on 2013-02-27 (public-webappsec@w3.org from February 2013)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 27 Feb 2013 15:57:43 -0800
To: Alex Russell <slightlyoff@google.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAJE5ia_tYme8mJSJ4E7CuhCZMCFgxF-Qrs_AEYGA+-j7+e_hkA@mail.gmail.com>

Moving to public-webappsec (which is the working group for CSP as
opposed to the general Security Interest Group).

Adam


On Wed, Feb 27, 2013 at 3:53 PM, Alex Russell <slightlyoff@google.com> wrote:
> Hi all,
>
> After chatting with Adam and Mike, I'd like to propose a new CSP field for
> setting a restriction on the base URL of a document. Having this provided in
> a header and/or early in the page provides a bulwark against many of the
> worst post-CSS HTML injection attacks, and when combined with existing CSP
> 1.1 directives can deny many of the worst payload smuggling attacks.
>
> Is there appetite in the group to specify this for 1.1?
>
> Regards

Received on Wednesday, 27 February 2013 23:58:43 UTC