- From: Mike West <mkwst@google.com>
- Date: Mon, 7 Jan 2013 18:59:49 +0100
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Cc: Alex Russell <slightlyoff@google.com>
Alex Russell brought up an interesting case off-list that I think is currently under-specified: what do we do when 'none' is included in a source list? Currently, we specify "If source list (with leading and trailing whitespace stripped) is a case insensitive match for the string 'none' (including the quotation marks), return the empty set." I don't think we say anything about a hypothetical `script-src 'none' https://example.com/` or `script-src https://example.com 'none' https://example.net`. Alex's suggestion, which I think makes sense, is to explicitly treat 'none' in a source list as a noop. If we think of source lists as strictly additive, then adding 'none' to the whitelist should have no effect. ... Actually, now that I'm typing this, I see that that's more or less what we do in 3.2.2.1 #3: 'none' doesn't match the source-list grammar, so it's not included in the list, but simply ignored. That doesn't match WebKit's implementation, however, so I think it's worth making sure that we agree that it's the right behavior before I poke at http://trac.webkit.org/browser/trunk/Source/WebCore/page/ContentSecurityPolicy.cpp#L360 Thanks! -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Monday, 7 January 2013 18:00:41 UTC