Re: Remove paths from CSP?

+public-webappsec for comment.

On Wed, Feb 12, 2014 at 12:46 PM, Egor Homakov <> wrote:

> No, auto-approving will only work for /specified_paths.
> E.g. even if there's a redirect /r/csp you won't be able to include it as
> a script, since only /jquery.js is allowed. There should be no
> auto-approving for wild-card whitelists with unspecified paths, for sure.
> I don't see any new threats coming from this feature.

Hrm. Interesting approach.

So if your source expression contains a path, then any redirects under that
path are accepted? I suppose that lowers the risk. It certainly increases
complexity (both implementation and understanding), but that might be


Received on Wednesday, 12 February 2014 12:22:09 UTC