- From: Mike West <mkwst@google.com>
- Date: Wed, 12 Feb 2014 13:21:20 +0100
- To: Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Wednesday, 12 February 2014 12:22:09 UTC
+public-webappsec for comment. On Wed, Feb 12, 2014 at 12:46 PM, Egor Homakov <homakov@gmail.com> wrote: > No, auto-approving will only work for /specified_paths. > E.g. even if there's a redirect /r/csp you won't be able to include it as > a script, since only /jquery.js is allowed. There should be no > auto-approving for wild-card whitelists with unspecified paths, for sure. > I don't see any new threats coming from this feature. > Hrm. Interesting approach. So if your source expression contains a path, then any redirects under that path are accepted? I suppose that lowers the risk. It certainly increases complexity (both implementation and understanding), but that might be workable. -mike
Received on Wednesday, 12 February 2014 12:22:09 UTC