Re: 'none' in a source list. from Adam Barth on 2013-01-07 (public-webappsec@w3.org from January 2013)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 7 Jan 2013 12:16:04 -0800
To: Ian Melven <imelven@mozilla.com>
Cc: Mike West <mkwst@google.com>, Alex Russell <slightlyoff@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAJE5ia8ijOHuXLo-8D3qxc49teuRoA-OMPWtmJeLXgbHUE2JcQ@mail.gmail.com>

Makes sense to me too.

Adam


On Mon, Jan 7, 2013 at 10:14 AM, Ian Melven <imelven@mozilla.com> wrote:
>
> fwiw, it looks like Gecko behaves the same way as well
>
> it will honor 'none' only when it's by itself but ignore it if there's
> other sources also as a part of the source expression
>
> ignoring 'none' in this case as you suggest makes sense to me
>
> thanks
> ian
>
>
> ----- Original Message -----
> From: "Mike West" <mkwst@google.com>
> To: public-webappsec@w3.org
> Cc: "Alex Russell" <slightlyoff@google.com>
> Sent: Monday, January 7, 2013 9:59:49 AM
> Subject: 'none' in a source list.
>
> Alex Russell brought up an interesting case off-list that I think is
> currently under-specified: what do we do when 'none' is included in a
> source list?
>
> Currently, we specify "If source list (with leading and trailing
> whitespace stripped) is a case insensitive match for the string 'none'
> (including the quotation marks), return the empty set." I don't think
> we say anything about a hypothetical `script-src 'none'
> https://example.com/` or `script-src https://example.com 'none'
> https://example.net`.
>
> Alex's suggestion, which I think makes sense, is to explicitly treat
> 'none' in a source list as a noop. If we think of source lists as
> strictly additive, then adding 'none' to the whitelist should have no
> effect.
>
> ...
>
> Actually, now that I'm typing this, I see that that's more or less
> what we do in 3.2.2.1 #3: 'none' doesn't match the source-list
> grammar, so it's not included in the list, but simply ignored.
>
> That doesn't match WebKit's implementation, however, so I think it's
> worth making sure that we agree that it's the right behavior before I
> poke at http://trac.webkit.org/browser/trunk/Source/WebCore/page/ContentSecurityPolicy.cpp#L360
>
> Thanks!
>
> --
> Mike West <mkwst@google.com>, Developer Advocate
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
>

Received on Monday, 7 January 2013 20:17:05 UTC