Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is inheritance of 'self' to local-scheme appropriate? #259

Closed
shhnjk opened this issue Oct 27, 2017 · 2 comments
Closed

Is inheritance of 'self' to local-scheme appropriate? #259

shhnjk opened this issue Oct 27, 2017 · 2 comments
Milestone
CSP3 CR

Comments

@shhnjk
Copy link
Member

shhnjk commented Oct 27, 2017

We discussed that 'self' inherited to local-scheme (e.g. data URL) should be treated as local-scheme itself.

But this means that if website https://A.com wants to load data: frames and wishes to load resources inside data: frames from itself, then they need to give up with default-src 'self' and they should add default-src https://A.com.

Is this how website should implement CSP? Seems complicated.
@shhnjk shhnjk mentioned this issue Oct 31, 2017
Closed
@ckerschb
Copy link

ckerschb commented Nov 2, 2017

The other use case to consider is. What about a data: URI iframe that ships a meta CSP using 'self'? Unique origins don't even match itself, hence 'self' does not make any sense in that scenario.

@annevk
Copy link
Member

annevk commented Nov 2, 2017

(A unique origin does match itself, but you cannot compute the same unique origin twice from a single data URL.)

@andypaicu andypaicu added this to the CSP3 CR milestone Jan 9, 2018
@andypaicu andypaicu mentioned this issue Nov 8, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
CSP3 CR
Development

No branches or pull requests
4 participants
@ckerschb @annevk @shhnjk @andypaicu