On Tue, Jul 26, 2011 at 5:19 PM, Daniel Veditz <dved...@mozilla.com> wrote:
> On 7/22/11 7:18 PM, Eli Grey wrote:
>> CSP needs a way to support object URLs, of which the scheme is
>> implementation specific (e.g. moz-filedata:{GUID} in Firefox,
>> blob:{origin}{GUID} in WebKit). How might this be accomplished?
>
> This is a better conversation for public-web-secur...@w3.org where
> we're working on standardizing CSP -- added with a CC though this
> conversation is likely to fork.
>
> Off the top of my head I think we should treat those as coming from
> 'self' since the data is ultimately available to the page and under
> its control.
>
> If that doesn't work another option is to treat them similarly to
> data: urls: block them unless explicitly allowed and let them be
> whitelisted by scheme alone.Please feel encouraged to test the behavior in WebKit, but I believe we treat them as 'self' because they're treated as same-origin everywhere else (e.g., also for XMLHttpRequest). Adam _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
