W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [CSP3] Allow paths without a domain

From: Mike West <mkwst@google.com>
Date: Thu, 8 Jan 2015 11:39:40 +0100
Message-ID: <CAKXHy=cuTKA5pN8aCR=1gvgOdgfaKZk4h+Q6zWw10BkQa1B=JA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Craig Francis <craig@craigfrancis.co.uk>, "public-webappsec@w3.org" <public-webappsec@w3.org>
It's worth considering, certainly, and might give us a way of explaining
'self' (via `/`). That said, it's potentially confusing with relation to
things like `document.domain`; we'd need to be careful to spell out exactly
which origin ought to be compared against.

Something to look at for CSP3.


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Tue, Dec 30, 2014 at 8:23 PM, Brad Hill <hillbrad@gmail.com> wrote:

> https://www.w3.org/2011/webappsec/track/issues/73
> On Tue Dec 30 2014 at 10:24:36 AM Craig Francis <craig@craigfrancis.co.uk>
> wrote:
>> Hi,
>> Would it be possible to update the path matching section:
>> http://w3c.github.io/webappsec/specs/content-security-policy/#source-list-path-patching
>> So that a path can be specified without a domain, e.g.
>> Content-Security-Policy: script-src /js/;
>> This would be a bit more restrictive over just using "self", as a
>> malicious JavaScript file could be uploaded via a CMS vulnerability, where
>> the /js/ folder might not be writable to, whereas /uploaded-images/ might
>> be.
>> I realise the current domain could be specified, but this would be much
>> shorter :-)
>> Might be worth also noting if relative URLs should be allowed (I'm
>> tempted to say no, but thats just because I won't need them).
>> Craig
Received on Thursday, 8 January 2015 10:40:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC