- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Mon, 28 Sep 2015 10:18:40 -0700
- To: Mike West <mkwst@google.com>, André N. Klingsheim <andre.klingsheim@owasp.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 9/28/15 6:43 AM, Mike West wrote: > I think this is probably worth considering as a simplification for > developers, though it complicates the model a little bit by changing > an origin-based comparison into a host-based comparison. Locking it > to schemes with the same security properties or better might be > doable (e.g. 'self' on `http://example.com` could allow > `ws://example.com ` or `wss://example.com`, but 'self' on > `https://example.com` would only allow `wss://example.com`. I do not want CSP to devolve from origin-based to host-based (we've seen where that gets us with cookies), but I could live with an explicit exception equating "ws:" and "http:" wrt 'self'. Ports would still have to match, of course. Are there non-trivial services that actually run a web socket on the same port as their normal web pages? If not this change wouldn't help much. As Mike said, a request for CSP3 -- we're nearly wrapped up for CSP2. -Dan Veditz
Received on Monday, 28 September 2015 17:19:11 UTC