W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: CSP reports on eval() and inline

From: Neil Matatall <neilm@twitter.com>
Date: Thu, 4 Sep 2014 09:58:38 -0700
Message-ID: <CAOFLtbj1HbbOYbZhC+w1rdU_4+eXaUCtJshCDeBxXsRvO0vxxg@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal.com>
Cc: Mike West <mkwst@google.com>, Pawel Krawczyk <pawel.krawczyk@hush.com>, Dan Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
There's already plenty of non-URIs in that value:

null
about
data:text/javascript;base64,...
asset
weixin
android-webview
pixivnanikahelper

Or at least URIs that the standard java URI cannot parse. As a likely
unauthenticated endpoint, validation is required either way.
Received on Thursday, 4 September 2014 16:59:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC