- From: Mike West <mkwst@google.com>
- Date: Thu, 8 Jan 2015 11:39:40 +0100
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Craig Francis <craig@craigfrancis.co.uk>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=cuTKA5pN8aCR=1gvgOdgfaKZk4h+Q6zWw10BkQa1B=JA@mail.gmail.com>
It's worth considering, certainly, and might give us a way of explaining 'self' (via `/`). That said, it's potentially confusing with relation to things like `document.domain`; we'd need to be careful to spell out exactly which origin ought to be compared against. Something to look at for CSP3. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Tue, Dec 30, 2014 at 8:23 PM, Brad Hill <hillbrad@gmail.com> wrote: > https://www.w3.org/2011/webappsec/track/issues/73 > > > On Tue Dec 30 2014 at 10:24:36 AM Craig Francis <craig@craigfrancis.co.uk> > wrote: > >> Hi, >> >> Would it be possible to update the path matching section: >> >> >> http://w3c.github.io/webappsec/specs/content-security-policy/#source-list-path-patching >> >> So that a path can be specified without a domain, e.g. >> >> Content-Security-Policy: script-src /js/; >> >> This would be a bit more restrictive over just using "self", as a >> malicious JavaScript file could be uploaded via a CMS vulnerability, where >> the /js/ folder might not be writable to, whereas /uploaded-images/ might >> be. >> >> I realise the current domain could be specified, but this would be much >> shorter :-) >> >> Might be worth also noting if relative URLs should be allowed (I'm >> tempted to say no, but thats just because I won't need them). >> >> Craig >> >
Received on Thursday, 8 January 2015 10:40:31 UTC