W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: CSP: origin from a URL

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 28 Jun 2013 00:24:40 -0700
Message-ID: <51CD3A38.1010306@mozilla.com>
To: Anne van Kesteren <annevk@annevk.nl>
CC: Adam Barth <w3c@adambarth.com>, WebAppSec WG <public-webappsec@w3.org>
On 6/27/2013 6:41 AM, Anne van Kesteren wrote:
> If it's just data URLs for which this is a problem, "data:," is the
> shortest valid data URL I know of. But I think it might be a problem
> for blob URLs too. We could probably make the URL parser work for
> "data:" and "blob:". They would not be valid data or blob URLs, but
> would parse as URLs, if that makes sense.

Pretty sure we decided blob: was covered by 'self' so you shouldn't need
to specify that one.

"javascript:" we don't really allow, you need to use 'unsafe-inline'

"file:" isn't allowed from web content so the only time that would
really come up would be local testing (with a <meta>-specified policy)
in which case 'self' covers that, too.

There are a bunch of protocols that launch other services, like tel:,
mailto:, mms:, rtsp:... Even if you imagine that the HTML engine is part
of an application that knows how to handle those internally (e.g. the
SeaMonkey browser also handles the mailto:, news:, and irc: schemes
among others) they won't be incorporated into the CSP-protected document.

In practice data: might be the only non-hierarchical scheme we have to
worry about.

-Dan Veditz

Received on Friday, 28 June 2013 07:25:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC