Re: Remove paths from CSP? from Mike West on 2014-02-12 (public-webappsec@w3.org from February 2014)

From: Mike West <mkwst@google.com>
Date: Wed, 12 Feb 2014 09:52:36 +0100
To: "Eduardo' Vela" <evn@google.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, Garrett Robinson <grobinson@mozilla.com>, Brad Hill <bhill@paypal-inc.com>, Michal Zalewski <lcamtuf@google.com>, Odin Hørthe Omdal <odinho@opera.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>
Message-ID: <CAKXHy=emPBuwCMtFz9uk-DyL8hs4oDYiVdujuDRYQbhMi6yQyg@mail.gmail.com>

On Wed, Feb 12, 2014 at 9:33 AM, Eduardo' Vela" <Nava> <evn@google.com>wrote:

> Well, we won't be able to use CSP in Google since we (unfortunately) serve
> static JS APIs from www.google.com (which also has a lot of JSONP-like
> endpoints).
>
> These are also public APIs, so our users of such APIs won't be able to
> adopt CSP either.
>
I don't understand why a lack of paths in source expressions would mean
that Google can't adopt CSP. Users would whitelist 'www.google.com' (or '
developers.google.com') as a valid source of script. It wouldn't be as
narrow or lovely as 'developers.google.com/loader', but it's certainly not
nothing.

Can you explain?

-mike

Received on Wednesday, 12 February 2014 08:53:36 UTC