webappsec-ISSUE-73 (CSP path matching): Consider allowing relative paths (to 'self') in source productions [CSP Level 3] from Web Application Security Working Group Issue Tracker on 2014-12-30 (public-webappsec@w3.org from December 2014)

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 30 Dec 2014 19:23:40 +0000
To: public-webappsec@w3.org
Message-Id: <E1Y62OK-0007jq-O4@shauna.w3.org>

webappsec-ISSUE-73 (CSP path matching): Consider allowing relative paths (to 'self') in source productions [CSP Level 3]

http://www.w3.org/2011/webappsec/track/issues/73

Raised by: Brad Hill
On product: CSP Level 3

Craig Francis to public-webappsec 

Hi,

Would it be possible to update the path matching section:

http://w3c.github.io/webappsec/specs/content-security-policy/#source-list-path-patching

So that a path can be specified without a domain, e.g.

 Content-Security-Policy: script-src /js/;

This would be a bit more restrictive over just using "self", as a malicious JavaScript file could be uploaded via a CMS vulnerability, where the /js/ folder might not be writable to, whereas /uploaded-images/ might be.

I realise the current domain could be specified, but this would be much shorter :-)

Might be worth also noting if relative URLs should be allowed (I'm tempted to say no, but thats just because I won't need them).

Received on Tuesday, 30 December 2014 19:23:42 UTC