- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 28 Jun 2013 00:24:40 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- CC: Adam Barth <w3c@adambarth.com>, WebAppSec WG <public-webappsec@w3.org>
Received on Friday, 28 June 2013 07:25:11 UTC
On 6/27/2013 6:41 AM, Anne van Kesteren wrote: > If it's just data URLs for which this is a problem, "data:," is the > shortest valid data URL I know of. But I think it might be a problem > for blob URLs too. We could probably make the URL parser work for > "data:" and "blob:". They would not be valid data or blob URLs, but > would parse as URLs, if that makes sense. Pretty sure we decided blob: was covered by 'self' so you shouldn't need to specify that one. "javascript:" we don't really allow, you need to use 'unsafe-inline' instead. "file:" isn't allowed from web content so the only time that would really come up would be local testing (with a <meta>-specified policy) in which case 'self' covers that, too. There are a bunch of protocols that launch other services, like tel:, mailto:, mms:, rtsp:... Even if you imagine that the HTML engine is part of an application that knows how to handle those internally (e.g. the SeaMonkey browser also handles the mailto:, news:, and irc: schemes among others) they won't be incorporated into the CSP-protected document. In practice data: might be the only non-hierarchical scheme we have to worry about. -Dan Veditz
Received on Friday, 28 June 2013 07:25:11 UTC