- From: Brad Hill <hillbrad@gmail.com>
- Date: Fri, 24 Apr 2015 18:01:39 +0000
- To: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEeYn8gQtmF_PueS1QzKjG_qrhyBnVdKJKbmPwthPkFwetmpGA@mail.gmail.com>
WhatsApp is fixed now. Thanks for noticing. : ) On Fri, Apr 24, 2015 at 1:36 AM Daniel Veditz <dveditz@mozilla.com> wrote: > According to the CSP spec * should not match data: (and similar schemes). > Firefox's original implementation of the X-Content-Security-Policy header > behaved that way, but the original translation to the spec-compliant > Content-Security-Policy did not at first. When we recently started > enforcing that part of the spec we immediately found several sites that > broke because they were using img-src * or default-src * and data: sourced > images. These are not backwater sites we can just ignore: WhatsApp, CNN, > Fastmail (and Html5test, but I'm less pessimistic about convincing them). > > https://bugzilla.mozilla.org/show_bug.cgi?id=1086999 > > We're not sure what the best way forward is at this point but none of the > options are all that great, especially considering the WG thinks we're done > changing CSP2 and are on to CSP.next. > > a) try tech evangelism to get the sites to fix their CSP, even though > "works in Chrome" > b) change the spec to match what everyone is doing anyway -- but then we > have effectively allowed unsafe-inline > c) change the spec so that _sometimes_ * matches data: (safe things like > images, which is most of the problem anyway) and other times doesn't match > in unsafe directives (like script-src and frame-src). html5test is using it > for javascript but I'm less concerned about being unable to successfully > convince them to change. > d) have '*' always match data:, but _also_ require an explicit > 'unsafe-inline' to use it for script-src, style-src, frame-src, child-src, > and object-src (where it's unlikely to be currently used anyway). > > My Chrome bug searching skills aren't great, but I didn't see any bugs > about chrome changing this behavior. Found one for blob: and 'self', but > that's a different (similar) issue. > > -Dan Veditz >
Received on Friday, 24 April 2015 18:02:07 UTC