W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: [CSP] data: vs * in the real world

From: Brad Hill <hillbrad@gmail.com>
Date: Fri, 24 Apr 2015 18:01:39 +0000
Message-ID: <CAEeYn8gQtmF_PueS1QzKjG_qrhyBnVdKJKbmPwthPkFwetmpGA@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
WhatsApp is fixed now. Thanks for noticing.  : )

On Fri, Apr 24, 2015 at 1:36 AM Daniel Veditz <dveditz@mozilla.com> wrote:

> According to the CSP spec * should not match data: (and similar schemes).
> Firefox's original implementation of the X-Content-Security-Policy header
> behaved that way, but the original translation to the spec-compliant
> Content-Security-Policy did not at first. When we recently started
> enforcing that part of the spec we immediately found several sites that
> broke because they were using img-src * or default-src * and data: sourced
> images. These are not backwater sites we can just ignore: WhatsApp, CNN,
> Fastmail (and Html5test, but I'm less pessimistic about convincing them).
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1086999
>
> We're not sure what the best way forward is at this point but none of the
> options are all that great, especially considering the WG thinks we're done
> changing CSP2 and are on to CSP.next.
>
> a) try tech evangelism to get the sites to fix their CSP, even though
> "works in Chrome"
> b) change the spec to match what everyone is doing anyway -- but then we
> have effectively allowed unsafe-inline
> c) change the spec so that _sometimes_ * matches data: (safe things like
> images, which is most of the problem anyway) and other times doesn't match
> in unsafe directives (like script-src and frame-src). html5test is using it
> for javascript but I'm less concerned about being unable to successfully
> convince them to change.
> d) have '*' always match data:, but _also_ require an explicit
> 'unsafe-inline' to use it for script-src, style-src, frame-src, child-src,
> and object-src (where it's unlikely to be currently used anyway).
>
> My Chrome bug searching skills aren't great, but I didn't see any bugs
> about chrome changing this behavior. Found one for blob: and 'self', but
> that's a different (similar) issue.
>
> -Dan Veditz
>
Received on Friday, 24 April 2015 18:02:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC