[Webkit-unassigned] [Bug 154122] New: CSP: Source '*' should not match URLs with schemes blob, data, or filesystem
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Feb 11 12:19:17 PST 2016
https://bugs.webkit.org/show_bug.cgi?id=154122
Bug ID: 154122
Summary: CSP: Source '*' should not match URLs with schemes
blob, data, or filesystem
Classification: Unclassified
Product: WebKit
Version: WebKit Local Build
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: dbates at webkit.org
CC: webkit-bug-importer at group.apple.com
Source '*' should not match URLs with schemes blob, data, or filesystem as per section Matching Source Expressions of Content Security Policy 2.0 spec. (29 August 2015):
[[
4.2.2. Matching Source Expressions
A URL url is said to match a source expression for a protected resource if the following algorithm returns does match:
1. Let url be the result of processing the URL through the URL parser.
2. If the source expression consists of a single U+002A ASTERISK character (*), and url’s scheme is not one of blob, data, filesystem, then return does match.
...
]]
<https://w3c.github.io/webappsec-csp/2/#match-source-expression>
This is further stressed in section Security Considerations for GUID URL schemes:
[[
4.2.2.1. Security Considerations for GUID URL schemes
This section is not normative.
As defined above, special URL schemes that refer to specific pieces of unique content, such as "data:", "blob:" and "filesystem:" are excluded from matching a policy of * and must be explicitly listed.
]]
<https://w3c.github.io/webappsec-csp/2/#source-list-guid-matching>
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160211/c8d15261/attachment.html>
More information about the webkit-unassigned
mailing list