Re: [CSP3] Allow paths without a domain

It's worth considering, certainly, and might give us a way of explaining
'self' (via `/`). That said, it's potentially confusing with relation to
things like `document.domain`; we'd need to be careful to spell out exactly
which origin ought to be compared against.

Something to look at for CSP3.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Tue, Dec 30, 2014 at 8:23 PM, Brad Hill <hillbrad@gmail.com> wrote:

> https://www.w3.org/2011/webappsec/track/issues/73
>
>
> On Tue Dec 30 2014 at 10:24:36 AM Craig Francis <craig@craigfrancis.co.uk>
> wrote:
>
>> Hi,
>>
>> Would it be possible to update the path matching section:
>>
>>
>> http://w3c.github.io/webappsec/specs/content-security-policy/#source-list-path-patching
>>
>> So that a path can be specified without a domain, e.g.
>>
>> Content-Security-Policy: script-src /js/;
>>
>> This would be a bit more restrictive over just using "self", as a
>> malicious JavaScript file could be uploaded via a CMS vulnerability, where
>> the /js/ folder might not be writable to, whereas /uploaded-images/ might
>> be.
>>
>> I realise the current domain could be specified, but this would be much
>> shorter :-)
>>
>> Might be worth also noting if relative URLs should be allowed (I'm
>> tempted to say no, but thats just because I won't need them).
>>
>> Craig
>>
>

Received on Thursday, 8 January 2015 10:40:31 UTC