W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

[webappsec] do we want a way to hash data: and blob: uris?

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 28 Oct 2014 16:00:27 -0700
Message-ID: <CAEeYn8gdLMkaiqSr-3Y4FeM0e02N6Hg1u6=mznGA+VHYUnKSiA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Just had a chat with Marcos on how manifests want to use CSP.

It came up that while data;, blob:, etc. are effectively
unsafe-inline, we don't have a way to treat them with hash-source.  If
I want to allow a specific data: uri but not all data: uris, I need to
repeat the whole blob in my CSP.

Is it worthwhile (for v.Next) to specify a way to take the hash of
GUID-type uris?

Received on Tuesday, 28 October 2014 23:00:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC