W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Mike West <mkwst@google.com>
Date: Wed, 12 Feb 2014 13:21:20 +0100
Message-ID: <CAKXHy=ek3BgZS3ibA35JqE8ztd67y1Ww9M-vS1+5JoRJEoeLaQ@mail.gmail.com>
To: Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
+public-webappsec for comment.

On Wed, Feb 12, 2014 at 12:46 PM, Egor Homakov <homakov@gmail.com> wrote:

> No, auto-approving will only work for /specified_paths.
> E.g. even if there's a redirect /r/csp you won't be able to include it as
> a script, since only /jquery.js is allowed. There should be no
> auto-approving for wild-card whitelists with unspecified paths, for sure.
> I don't see any new threats coming from this feature.
>

Hrm. Interesting approach.

So if your source expression contains a path, then any redirects under that
path are accepted? I suppose that lowers the risk. It certainly increases
complexity (both implementation and understanding), but that might be
workable.

-mike
Received on Wednesday, 12 February 2014 12:22:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC