- From: Stefano Calzavara <calzavara@dais.unive.it>
- Date: Mon, 2 Mar 2020 20:55:28 +0100
- To: "Sunitha Kumar (sunithak)" <sunithak@cisco.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAGVWdyWyXXkUxkcU_BQYt=s+M80HoMWAQ2Gs0pV-uKCf==5s5w@mail.gmail.com>
It's not an override, you can think of any item there as a set of web origins and the union of all sets is the final white-list. In your case, you are whitelisting same-origin content, plus everything which is served over HTTP. If you web app is served over HTTPS, this means: 1. HTTPS from your own domain 2. HTTP from all other domains Notice that in CSP3 all the HTTPS expressions implicitly whitelists also their HTTPS variant, but I hope the example above clarified your issue. Best. *Stefano Calzavara* Assistant professor Università Ca' Foscari Venezia https://www.dais.unive.it/~calzavara On Mon, 2 Mar 2020 at 20:06, Sunitha Kumar (sunithak) <sunithak@cisco.com> wrote: > Hi, > > Where can I find clarification regarding schemes, and their usage ? > > https://www.w3.org/TR/CSP3/ > > https://www.w3.org/TR/CSP2/ > > > > > > For instance, > > > > Content-Security-Policy: default-src 'self' http: > > In the example above, the http: scheme would effectively override the > specific domain settings in the default-src attribute. This would allow ALL > http urls to be loaded regardless of the domains listed in default-src (it > appears to be the equivalent of adding http://*). It appears this would > be true of any scheme added to the CSP. > > This in mind, for tightening Security, should all schemes be disallowed as > they over-ride default-src > > Such as – data:, filesystem:, mediastream, blob: http:, https:, ftp:, > sftp: > > Thanks, > > Sunitha >
Received on Monday, 2 March 2020 19:55:54 UTC