W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2020

CSP Security query

From: Sunitha Kumar (sunithak) <sunithak@cisco.com>
Date: Mon, 2 Mar 2020 18:38:34 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D8DAB9A2-1D25-40B4-9079-7B4C128FC33D@cisco.com>
Hi,

Where can I find clarification regarding schemes, and their usage ?

https://www.w3.org/TR/CSP3/

https://www.w3.org/TR/CSP2/

 

 

For instance, 

 
Content-Security-Policy: default-src 'self' http: 
In the example above, the http: scheme would effectively override the specific domain settings in the default-src attribute. This would allow ALL http urls to be loaded regardless of the domains listed in default-src (it appears to be the equivalent of adding http://*). It appears this would be true of any scheme added to the CSP.

This in mind, for tightening Security, should all schemes be disallowed as they over-ride default-src

Such as – data:, filesystem:, mediastream, blob: http:, https:, ftp:, sftp:

Thanks,

Sunitha


Received on Monday, 2 March 2020 19:04:44 UTC

This archive was generated by hypermail 2.4.0 : Monday, 2 March 2020 19:04:45 UTC