W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: CSP, Blob Workers, and Firefox

From: Mike West <mkwst@google.com>
Date: Wed, 23 Apr 2014 14:31:00 +0200
Message-ID: <CAKXHy=e3bQiaVaTHvWwVr42xsV8SGyZ7DfR4SEYTLs+QT+6idw@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal.com>
Cc: Paul Frazee <pfrazee@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
Brad's summary is correct: see
http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#h_note_1in
the 1.1 spec, as well as the detailed algorithm description preceeding
that note.

I need to change Blink's implementation to match the 1.1 spec. That work
isn't done yet.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Sun, Apr 20, 2014 at 6:24 AM, Hill, Brad <bhill@paypal.com> wrote:

> We've clarified this in the 1.1 spec, but I think the behavior is
> different between Chrome and Firefox at the moment.  Chrome uses 'self',
> but Firefox requires the "blob:" scheme to be listed explicitly.
>
> The latter behavior is what is specified in the 1.1 spec, with the further
> refinement that "blob:" will never match a "*" policy, and must be
> explicitly listed.  This is because blob is really more like 'unsafe-eval'
> than it is like 'self'.
>
> -Brad Hill
>
> On Apr 19, 2014, at 6:58 AM, Paul Frazee <pfrazee@gmail.com> wrote:
>
> > I've got an edge case that the Firefox guys see as undefined in the CSP
> spec.
> >
> > Bug report here: https://bugzilla.mozilla.org/show_bug.cgi?id=964276
> >
> > Shouldn't blob URIs take the origin that they've been created within? If
> so, script-src 'self' ought to allow the Worker to load.
> >
> > Paul F
>
>
>
Received on Wednesday, 23 April 2014 12:31:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC