Re: CSP: origin from a URL

On 6/27/2013 6:41 AM, Anne van Kesteren wrote:
> If it's just data URLs for which this is a problem, "data:," is the
> shortest valid data URL I know of. But I think it might be a problem
> for blob URLs too. We could probably make the URL parser work for
> "data:" and "blob:". They would not be valid data or blob URLs, but
> would parse as URLs, if that makes sense.

Pretty sure we decided blob: was covered by 'self' so you shouldn't need
to specify that one.

"javascript:" we don't really allow, you need to use 'unsafe-inline'
instead.

"file:" isn't allowed from web content so the only time that would
really come up would be local testing (with a <meta>-specified policy)
in which case 'self' covers that, too.

There are a bunch of protocols that launch other services, like tel:,
mailto:, mms:, rtsp:... Even if you imagine that the HTML engine is part
of an application that knows how to handle those internally (e.g. the
SeaMonkey browser also handles the mailto:, news:, and irc: schemes
among others) they won't be incorporated into the CSP-protected document.

In practice data: might be the only non-hierarchical scheme we have to
worry about.

-Dan Veditz

Received on Friday, 28 June 2013 07:25:11 UTC