Re: CSP: origin from a URL

On Wed, Jun 26, 2013 at 5:41 PM, Adam Barth <w3c@adambarth.com> wrote:
> I guess I'm not sure what behavior you're advocating for...  Are you
> happy with the status quo?  Would you prefer that we stripped the URL
> ourselves without referring to rfc6454?

I was not trying to advocate anything in particular. I was trying to
understand why this field mixes various data types.


> It sounds like you think we should always have a valid URL in this
> field, which seems reasonable.  If the blocked URL is a data URL,
> presumably we don't want to send the whole data URL in the report...
> Maybe we should find another way of summarizing the data URL that is
> still a valid URL?

If it's just data URLs for which this is a problem, "data:," is the
shortest valid data URL I know of. But I think it might be a problem
for blob URLs too. We could probably make the URL parser work for
"data:" and "blob:". They would not be valid data or blob URLs, but
would parse as URLs, if that makes sense.


--
http://annevankesteren.nl/

Received on Thursday, 27 June 2013 13:41:48 UTC