W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: [webappsec] CSP: are blob uri's really just origin='self'?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 03 Sep 2013 14:14:28 -0700
Message-ID: <52265134.4030001@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
More evidence of the problem. Unless we restrict "*" to mean "same
scheme" or "http/https only" we're going to keep adding exceptions and
getting bit when people invent new schemes. Keep it simple for web
developers:
  - CSP is an HTTP header, "*" means HTTP(s) things
  - anything else must be explicit

-Dan Veditz

On 9/3/2013 1:48 PM, Devdatta Akhawe wrote:
> Should we add filesystem: URIs to that list? I think there was a claimed
> Chrome extensions' CSP bypass due to filesystem: URIs at this year's
> AppSecEU: http://is.gd/mq1GLQ
> 
> -dev
> 
> On 3 September 2013 13:38, Brad Hill <hillbrad@gmail.com
> <mailto:hillbrad@gmail.com>> wrote:
> 
>     We had an action item for some time to clarify this, that we
>     dropped.  I'd propose something like the following:




Received on Tuesday, 3 September 2013 21:15:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC