W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: CSP: origin from a URL

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 25 Jun 2013 21:19:32 -0700
Message-ID: <CAJE5ia_rV0U2QrfHA9cV1c1PZx9mt7AYn2GvAk-oDyayrnzAJQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Tue, Jun 25, 2013 at 3:31 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> Why does https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#reporting
> use a different algorithm to derive an origin from a URL?

Different from what?

> Also, it
> seems somewhat confusing to have this new origin type, actual origins,
> and URLs, in the same value space. Even though the property says
> "blocked-uri" you wouldn't be able to parse it with a URL parser and
> get a sensible result.

I'm not sure I understand.  Can you give a specific situation where
something problematic happens?

What we've tried to do with this field is include as much information
about the blocked URI as we can do safely.  In the same-origin case,
we can include the URI with the fragment removed.  For the
cross-origin case, we need to strip out the path and query portions as
well.  I guess we could do that directly instead of converting to an
origin and then serializing back to ASCII.  We'd just have to be
careful to do something sensible with data URIs.

Adam
Received on Wednesday, 26 June 2013 04:20:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC