On 7/6/09 10:14 AM, Sid Stamm wrote:
Are relative URIs valid for the report-URI/policy-URI? (Seems like
this would be a good thing to support). However, if so, is there any
interaction/relationship with the BASE tag, which is supposed to also
appear early in the head?
Very good question.
Whether or not a BASE tag is present, the UA
has to figure out what host to request the content from and over what
scheme and port to request it; at this level, relative and absolute URIs
should appear the same. I'll try to make this more obvious in the Spec.
Actually, I got a little ahead of myself about the BASE tag. If the CSP
is specified in an HTTP header, then I don't think the BASE HTML tag
should have any effect on the resolution of a relative URI. It is
defined in a different layer, and should really only affect the HTML
content and anything it does (not the protocol-level stuff).
So in brief, I think the BASE tag shouldn't affect any HTTP header-level
URIs at all, but relative URIs might be okay since the policy-uri and
report-uri are required to be same scheme/host/port anyway.
-Sid
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security