- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Mon, 3 Mar 2014 13:38:13 -0800
- To: Joel Weinberger <jww@chromium.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> Namely, it seems a little too easy to shoot oneself in the foot by doing > something as simple as putting a title tag with user content above it. How? The mental model I have of CSP is that it mostly constrains behavior, does not give new capabilities. So, injecting a new CSP policy should mostly not be an issue. Am I missing some attack? At a glance, the only directives that don't constrain further are with the report-uri, reflected-xss, and referrer directive. If so, for meta element CSP policies, maybe we can (a) limit report-uris to same-origin (or disallow), (b) disallow 'allow' for reflected-xss, and (c) disallow 'unsafe-url' for referrer. ~Dev
Received on Monday, 3 March 2014 21:39:01 UTC