CSP Security query from Sunitha Kumar (sunithak) on 2020-03-02 (public-webappsec@w3.org from March 2020)

From: Sunitha Kumar (sunithak) <sunithak@cisco.com>
Date: Mon, 2 Mar 2020 18:38:34 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D8DAB9A2-1D25-40B4-9079-7B4C128FC33D@cisco.com>

Hi,

Where can I find clarification regarding schemes, and their usage ?

https://www.w3.org/TR/CSP3/

https://www.w3.org/TR/CSP2/

 

 

For instance, 

 
Content-Security-Policy: default-src 'self' http: 
In the example above, the http: scheme would effectively override the specific domain settings in the default-src attribute. This would allow ALL http urls to be loaded regardless of the domains listed in default-src (it appears to be the equivalent of adding http://*). It appears this would be true of any scheme added to the CSP.

This in mind, for tightening Security, should all schemes be disallowed as they over-ride default-src

Such as – data:, filesystem:, mediastream, blob: http:, https:, ftp:, sftp:

Thanks,

Sunitha

Attachments

application/pkcs7-signature attachment: smime.p7s

Received on Monday, 2 March 2020 19:04:44 UTC