ISSUE-73: Consider allowing relative paths (to 'self') in source productions
CSP path matching
Consider allowing relative paths (to 'self') in source productions
- State:
- RAISED
- Product:
- CSP Level 3
- Raised by:
- Brad Hill
- Opened on:
- 2014-12-30
- Description:
- Craig Francis to public-webappsec
Hi,
Would it be possible to update the path matching section:
http://w3c.github.io/webappsec/specs/content-security-policy/#source-list-path-patching
So that a path can be specified without a domain, e.g.
Content-Security-Policy: script-src /js/;
This would be a bit more restrictive over just using "self", as a malicious JavaScript file could be uploaded via a CMS vulnerability, where the /js/ folder might not be writable to, whereas /uploaded-images/ might be.
I realise the current domain could be specified, but this would be much shorter :-)
Might be worth also noting if relative URLs should be allowed (I'm tempted to say no, but thats just because I won't need them). - Related Actions Items:
- No related actions
- Related emails:
- No related emails
Related notes:
No additional notes.
Display change log