On 8/30/2013 2:05 PM, Brad Hill wrote: > I started writing CSP tests for workers, and realized that the blob: > scheme can be used to circumvent inline-script and eval protections. You > can grab text out of the DOM or any string, use createObjectURL() and > run it as script, so long as 'self' is in the policy. Where we go wrong is in section 3.2.2.2 where matching rules allow "*" to match all schemes. We'd be better off treating is as implied by the syntax in 3.2.2: According to the syntax the "*" is part of the "host" production, which has an optional scheme part. Elsewhere in the matching rules if the scheme is not present then the scheme must match the document's scheme; as an exception we also allow https: to match documents which have a http: scheme. Currently if you specify * it will match ftp, gopher, aim, file, and anything that might get invented after the page author specifies their policy. -Dan Veditz
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC