- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 03 Sep 2013 11:05:07 -0700
- To: Brad Hill <hillbrad@gmail.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Tuesday, 3 September 2013 18:05:39 UTC
On 8/30/2013 2:05 PM, Brad Hill wrote: > I started writing CSP tests for workers, and realized that the blob: > scheme can be used to circumvent inline-script and eval protections. You > can grab text out of the DOM or any string, use createObjectURL() and > run it as script, so long as 'self' is in the policy. Where we go wrong is in section 3.2.2.2 where matching rules allow "*" to match all schemes. We'd be better off treating is as implied by the syntax in 3.2.2: According to the syntax the "*" is part of the "host" production, which has an optional scheme part. Elsewhere in the matching rules if the scheme is not present then the scheme must match the document's scheme; as an exception we also allow https: to match documents which have a http: scheme. Currently if you specify * it will match ftp, gopher, aim, file, and anything that might get invented after the page author specifies their policy. -Dan Veditz
Received on Tuesday, 3 September 2013 18:05:39 UTC