W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: CSP, Blob Workers, and Firefox

From: Paul Frazee <pfrazee@gmail.com>
Date: Wed, 23 Apr 2014 07:48:01 -0500
Message-Id: <56D9E1FE-E17F-4501-93DE-FF0EE1677F2C@gmail.com>
Cc: "Hill, Brad" <bhill@paypal.com>, WebAppSec WG <public-webappsec@w3.org>
To: Mike West <mkwst@google.com>
Thanks for clearing that up.

Paul F

> On Apr 23, 2014, at 7:31 AM, Mike West <mkwst@google.com> wrote:
> 
> Brad's summary is correct: see http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#h_note_1 in the 1.1 spec, as well as the detailed algorithm description preceeding that note.
> 
> I need to change Blink's implementation to match the 1.1 spec. That work isn't done yet.
> 
> -mike
> 
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> 
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
> 
> 
>> On Sun, Apr 20, 2014 at 6:24 AM, Hill, Brad <bhill@paypal.com> wrote:
>> We've clarified this in the 1.1 spec, but I think the behavior is different between Chrome and Firefox at the moment.  Chrome uses 'self', but Firefox requires the "blob:" scheme to be listed explicitly.
>> 
>> The latter behavior is what is specified in the 1.1 spec, with the further refinement that "blob:" will never match a "*" policy, and must be explicitly listed.  This is because blob is really more like 'unsafe-eval' than it is like 'self'.
>> 
>> -Brad Hill
>> 
>> On Apr 19, 2014, at 6:58 AM, Paul Frazee <pfrazee@gmail.com> wrote:
>> 
>> > I've got an edge case that the Firefox guys see as undefined in the CSP spec.
>> >
>> > Bug report here: https://bugzilla.mozilla.org/show_bug.cgi?id=964276
>> >
>> > Shouldn't blob URIs take the origin that they've been created within? If so, script-src 'self' ought to allow the Worker to load.
>> >
>> > Paul F
> 
Received on Wednesday, 23 April 2014 12:48:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC