ISSUE-73: Consider allowing relative paths (to 'self') in source productions

CSP path matching

Consider allowing relative paths (to 'self') in source productions

CSP Level 3
Raised by:
Brad Hill
Opened on:
Craig Francis to public-webappsec


Would it be possible to update the path matching section:

So that a path can be specified without a domain, e.g.

Content-Security-Policy: script-src /js/;

This would be a bit more restrictive over just using "self", as a malicious JavaScript file could be uploaded via a CMS vulnerability, where the /js/ folder might not be writable to, whereas /uploaded-images/ might be.

I realise the current domain could be specified, but this would be much shorter :-)

Might be worth also noting if relative URLs should be allowed (I'm tempted to say no, but thats just because I won't need them).
Related Actions Items:
No related actions
Related emails:
No related emails

Related notes:

No additional notes.

Display change log ATOM feed

Daniel Veditz <>, Mike West <>, Chairs, Wendy Seltzer <>, Samuel Weiler <>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: 73.html,v 1.1 2020/01/17 08:52:43 carcone Exp $