Re: CSP: origin from a URL

On Fri, Jun 28, 2013 at 12:24 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 6/27/2013 6:41 AM, Anne van Kesteren wrote:
>> If it's just data URLs for which this is a problem, "data:," is the
>> shortest valid data URL I know of. But I think it might be a problem
>> for blob URLs too. We could probably make the URL parser work for
>> "data:" and "blob:". They would not be valid data or blob URLs, but
>> would parse as URLs, if that makes sense.
>
> Pretty sure we decided blob: was covered by 'self' so you shouldn't need
> to specify that one.

Even though blob is covered by 'self', you might still need to include
it in a violation report.  The site doesn't necessarily need to
whitelist 'self'.

Adam

Received on Friday, 28 June 2013 16:38:47 UTC