W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

RE: [Workers] CSP and SharedWorkers

From: Hill, Brad <bhill@paypal-inc.com>
Date: Fri, 27 Sep 2013 16:02:03 +0000
To: Jonas Sicking <jonas@sicking.cc>, Kyle Huey <me@kylehuey.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, "whatwg@lists.whatwg.org" <whatwg@lists.whatwg.org>, Anne van Kesteren <annevk@annevk.nl>, Alex Russell <slightlyoff@google.com>, Daniel Veditz <dveditz@mozilla.com>, Sid Stamm <sstamm@mozilla.com>, Ben Turner <bent.mozilla@gmail.com>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E359C5B61@DEN-EXDDA-S12.corp.ebay.com>


> -----Original Message-----
> From: Jonas Sicking [mailto:jonas@sicking.cc]
> What do implementations do with regards to linking <script> to
> blob/data/filesystem? Are they treated like normal protocols, or are they
> treated like eval()? If they are treated like normal protocols then maybe we can
> simply not have any special rules for them and say that for now they never get a
> CSP.

[Hill, Brad] We're working through this at the moment, actually, since we've uncovered issues related to this in testing.  The proposals on the table are:

1) Allow blob/data/filesystem if 'self' (or equivalent) is allowed for everything but script and style, but require unsafe-eval for script and style.

2) Require that these schemes be explicitly listed (exclude them from the * production) with a warning that doing so is equivalent to unsafe-eval.

Happy to hear further thoughts on this.

-Brad
Received on Friday, 27 September 2013 16:02:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC