[Webkit-unassigned] [Bug 160656] New: CSP Wildcard support
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Aug 8 04:29:33 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=160656
Bug ID: 160656
Summary: CSP Wildcard support
Classification: Unclassified
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: craig+webkit at craigfrancis.co.uk
In regards to "More restrictive wildcard" on:
https://webkit.org/blog/6830/a-refined-content-security-policy/
Where you are suggesting allowing "data:" for image and "data:, blob:" for media (the heading should really be "less restrictive").
Please can you follow the spec instead:
https://www.w3.org/TR/CSP2/#match-source-expression
"If the source expression a consists of a single U+002A ASTERISK character (*), and urlâs scheme is not one of blob, data, filesystem, then return does match."
This means is that websites that want to use "data:" for their images just add it to their directive (img-src * data:;), whereas websites that really don't use "data:" urls, can continue to use a wildcard without worrying about images that use this scheme (e.g. a malicious resource, delivered inline, which means there is no need to find somewhere to host it).
Keeping in mind that images, like TIFF's, can have buffer overflows ;-)
---
Might be related to Issue 153090.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160808/f2a47642/attachment-0001.html>
More information about the webkit-unassigned
mailing list