<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - CSP Wildcard support"

   href="https://bugs.webkit.org/show_bug.cgi?id=160656">160656</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>CSP Wildcard support

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebKit Misc.

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>craig+webkit&#64;craigfrancis.co.uk

          </td>

        </tr></table>

      <p>

        <div>

        <pre>In regards to &quot;More restrictive wildcard&quot; on:

<a href="https://webkit.org/blog/6830/a-refined-content-security-policy/">https://webkit.org/blog/6830/a-refined-content-security-policy/</a>

Where you are suggesting allowing &quot;data:&quot; for image and &quot;data:, blob:&quot; for media (the heading should really be &quot;less restrictive&quot;).

Please can you follow the spec instead:

<a href="https://www.w3.org/TR/CSP2/#match-source-expression">https://www.w3.org/TR/CSP2/#match-source-expression</a>

&quot;If the source expression a consists of a single U+002A ASTERISK character (*), and url’s scheme is not one of blob, data, filesystem, then return does match.&quot;

This means is that websites that want to use &quot;data:&quot; for their images just add it to their directive (img-src * data:;), whereas websites that really don't use &quot;data:&quot; urls, can continue to use a wildcard without worrying about images that use this scheme (e.g. a malicious resource, delivered inline, which means there is no need to find somewhere to host it).

Keeping in mind that images, like TIFF's, can have buffer overflows ;-)

---

Might be related to Issue 153090.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>