W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2020

Re: CSP Security query

From: Stefano Calzavara <calzavara@dais.unive.it>
Date: Mon, 2 Mar 2020 20:55:28 +0100
Message-ID: <CAGVWdyWyXXkUxkcU_BQYt=s+M80HoMWAQ2Gs0pV-uKCf==5s5w@mail.gmail.com>
To: "Sunitha Kumar (sunithak)" <sunithak@cisco.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
It's not an override, you can think of any item there as a set of web
origins and the union of all sets is the final white-list.

In your case, you are whitelisting same-origin content, plus everything
which is served over HTTP. If you web app is served over HTTPS, this means:

1. HTTPS from your own domain
2. HTTP from all other domains

Notice that in CSP3 all the HTTPS expressions implicitly whitelists also
their HTTPS variant, but I hope the example above clarified your issue.

*Stefano Calzavara*
Assistant professor
Università Ca' Foscari Venezia

On Mon, 2 Mar 2020 at 20:06, Sunitha Kumar (sunithak) <sunithak@cisco.com>

> Hi,
> Where can I find clarification regarding schemes, and their usage ?
> https://www.w3.org/TR/CSP3/
> https://www.w3.org/TR/CSP2/
> For instance,
> Content-Security-Policy: default-src 'self' http:
> In the example above, the http: scheme would effectively override the
> specific domain settings in the default-src attribute. This would allow ALL
> http urls to be loaded regardless of the domains listed in default-src (it
> appears to be the equivalent of adding http://*). It appears this would
> be true of any scheme added to the CSP.
> This in mind, for tightening Security, should all schemes be disallowed as
> they over-ride default-src
> Such as – data:, filesystem:, mediastream, blob: http:, https:, ftp:,
> sftp:
> Thanks,
> Sunitha
Received on Monday, 2 March 2020 19:55:54 UTC

This archive was generated by hypermail 2.4.0 : Monday, 2 March 2020 19:55:54 UTC