- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Fri, 27 Sep 2013 16:02:03 +0000
- To: Jonas Sicking <jonas@sicking.cc>, Kyle Huey <me@kylehuey.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, "whatwg@lists.whatwg.org" <whatwg@lists.whatwg.org>, Anne van Kesteren <annevk@annevk.nl>, Alex Russell <slightlyoff@google.com>, Daniel Veditz <dveditz@mozilla.com>, Sid Stamm <sstamm@mozilla.com>, Ben Turner <bent.mozilla@gmail.com>
> -----Original Message----- > From: Jonas Sicking [mailto:jonas@sicking.cc] > What do implementations do with regards to linking <script> to > blob/data/filesystem? Are they treated like normal protocols, or are they > treated like eval()? If they are treated like normal protocols then maybe we can > simply not have any special rules for them and say that for now they never get a > CSP. [Hill, Brad] We're working through this at the moment, actually, since we've uncovered issues related to this in testing. The proposals on the table are: 1) Allow blob/data/filesystem if 'self' (or equivalent) is allowed for everything but script and style, but require unsafe-eval for script and style. 2) Require that these schemes be explicitly listed (exclude them from the * production) with a warning that doing so is equivalent to unsafe-eval. Happy to hear further thoughts on this. -Brad
Received on Friday, 27 September 2013 16:02:33 UTC