Re: CSP, Blob Workers, and Firefox from Hill, Brad on 2014-04-20 (public-webappsec@w3.org from April 2014)

From: Hill, Brad <bhill@paypal.com>
Date: Sun, 20 Apr 2014 04:24:09 +0000
To: Paul Frazee <pfrazee@gmail.com>
CC: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <02BEB85C-1436-4862-AF1F-DB3F2C154471@paypal.com>

We've clarified this in the 1.1 spec, but I think the behavior is different between Chrome and Firefox at the moment.  Chrome uses 'self', but Firefox requires the "blob:" scheme to be listed explicitly.

The latter behavior is what is specified in the 1.1 spec, with the further refinement that "blob:" will never match a "*" policy, and must be explicitly listed.  This is because blob is really more like 'unsafe-eval' than it is like 'self'.

-Brad Hill

On Apr 19, 2014, at 6:58 AM, Paul Frazee <pfrazee@gmail.com> wrote:

> I've got an edge case that the Firefox guys see as undefined in the CSP spec.
> 
> Bug report here: https://bugzilla.mozilla.org/show_bug.cgi?id=964276
> 
> Shouldn't blob URIs take the origin that they've been created within? If so, script-src 'self' ought to allow the Worker to load.
> 
> Paul F

Received on Sunday, 20 April 2014 04:24:37 UTC