W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: CSP: origin from a URL

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 27 Jun 2013 14:41:21 +0100
Message-ID: <CADnb78h0EZ2L8EWQBwCMYVxG8isfM7Ch6j47gBERmP3ZjPf+AA@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Jun 26, 2013 at 5:41 PM, Adam Barth <w3c@adambarth.com> wrote:
> I guess I'm not sure what behavior you're advocating for...  Are you
> happy with the status quo?  Would you prefer that we stripped the URL
> ourselves without referring to rfc6454?

I was not trying to advocate anything in particular. I was trying to
understand why this field mixes various data types.

> It sounds like you think we should always have a valid URL in this
> field, which seems reasonable.  If the blocked URL is a data URL,
> presumably we don't want to send the whole data URL in the report...
> Maybe we should find another way of summarizing the data URL that is
> still a valid URL?

If it's just data URLs for which this is a problem, "data:," is the
shortest valid data URL I know of. But I think it might be a problem
for blob URLs too. We could probably make the URL parser work for
"data:" and "blob:". They would not be valid data or blob URLs, but
would parse as URLs, if that makes sense.

Received on Thursday, 27 June 2013 13:41:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC