On Tue, Jul 26, 2011 at 5:19 PM, Daniel Veditz <[email protected]> wrote: > On 7/22/11 7:18 PM, Eli Grey wrote: >> CSP needs a way to support object URLs, of which the scheme is >> implementation specific (e.g. moz-filedata:{GUID} in Firefox, >> blob:{origin}{GUID} in WebKit). How might this be accomplished? > > This is a better conversation for [email protected] where > we're working on standardizing CSP -- added with a CC though this > conversation is likely to fork. > > Off the top of my head I think we should treat those as coming from > 'self' since the data is ultimately available to the page and under > its control. > > If that doesn't work another option is to treat them similarly to > data: urls: block them unless explicitly allowed and let them be > whitelisted by scheme alone.
Please feel encouraged to test the behavior in WebKit, but I believe we treat them as 'self' because they're treated as same-origin everywhere else (e.g., also for XMLHttpRequest). Adam _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
