- From: Ian Melven <imelven@mozilla.com>
- Date: Mon, 7 Jan 2013 10:14:13 -0800 (PST)
- To: Mike West <mkwst@google.com>
- Cc: Alex Russell <slightlyoff@google.com>, public-webappsec@w3.org
fwiw, it looks like Gecko behaves the same way as well it will honor 'none' only when it's by itself but ignore it if there's other sources also as a part of the source expression ignoring 'none' in this case as you suggest makes sense to me thanks ian ----- Original Message ----- From: "Mike West" <mkwst@google.com> To: public-webappsec@w3.org Cc: "Alex Russell" <slightlyoff@google.com> Sent: Monday, January 7, 2013 9:59:49 AM Subject: 'none' in a source list. Alex Russell brought up an interesting case off-list that I think is currently under-specified: what do we do when 'none' is included in a source list? Currently, we specify "If source list (with leading and trailing whitespace stripped) is a case insensitive match for the string 'none' (including the quotation marks), return the empty set." I don't think we say anything about a hypothetical `script-src 'none' https://example.com/` or `script-src https://example.com 'none' https://example.net`. Alex's suggestion, which I think makes sense, is to explicitly treat 'none' in a source list as a noop. If we think of source lists as strictly additive, then adding 'none' to the whitelist should have no effect. ... Actually, now that I'm typing this, I see that that's more or less what we do in 3.2.2.1 #3: 'none' doesn't match the source-list grammar, so it's not included in the list, but simply ignored. That doesn't match WebKit's implementation, however, so I think it's worth making sure that we agree that it's the right behavior before I poke at http://trac.webkit.org/browser/trunk/Source/WebCore/page/ContentSecurityPolicy.cpp#L360 Thanks! -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Monday, 7 January 2013 18:14:41 UTC