[Webkit-unassigned] [Bug 160656] New: CSP Wildcard support

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=160656

            Bug ID: 160656
           Summary: CSP Wildcard support
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: craig+webkit at craigfrancis.co.uk

In regards to "More restrictive wildcard" on:

https://webkit.org/blog/6830/a-refined-content-security-policy/

Where you are suggesting allowing "data:" for image and "data:, blob:" for media (the heading should really be "less restrictive").

Please can you follow the spec instead:

https://www.w3.org/TR/CSP2/#match-source-expression

"If the source expression a consists of a single U+002A ASTERISK character (*), and url’s scheme is not one of blob, data, filesystem, then return does match."

This means is that websites that want to use "data:" for their images just add it to their directive (img-src * data:;), whereas websites that really don't use "data:" urls, can continue to use a wildcard without worrying about images that use this scheme (e.g. a malicious resource, delivered inline, which means there is no need to find somewhere to host it).

Keeping in mind that images, like TIFF's, can have buffer overflows ;-)

---

Might be related to Issue 153090.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160808/f2a47642/attachment-0001.html>