ISSUE-73: Consider allowing relative paths (to 'self') in source productions

CSP path matching

Consider allowing relative paths (to 'self') in source productions

State:
RAISED
Product:
CSP Level 3
Raised by:
Brad Hill
Opened on:
2014-12-30
Description:
Craig Francis to public-webappsec

Hi,

Would it be possible to update the path matching section:

http://w3c.github.io/webappsec/specs/content-security-policy/#source-list-path-patching

So that a path can be specified without a domain, e.g.

Content-Security-Policy: script-src /js/;

This would be a bit more restrictive over just using "self", as a malicious JavaScript file could be uploaded via a CMS vulnerability, where the /js/ folder might not be writable to, whereas /uploaded-images/ might be.

I realise the current domain could be specified, but this would be much shorter :-)

Might be worth also noting if relative URLs should be allowed (I'm tempted to say no, but thats just because I won't need them).
Related Actions Items:
No related actions
Related emails:
No related emails

Related notes:

No additional notes.

Display change log ATOM feed


Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>, Chairs, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: index.php,v 1.326 2018/10/13 17:29:51 vivien Exp $