Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Effective directive routes non-script-like request through script-src-elem #382

Closed
notriddle opened this issue Feb 1, 2019 · 1 comment
Closed

Effective directive routes non-script-like request through script-src-elem #382

notriddle opened this issue Feb 1, 2019 · 1 comment

Comments

@notriddle
Copy link

According to https://www.w3.org/TR/CSP/#effective-directive-for-a-request, XSLT documents should be checked as script.

The first check for all script-src-elem checks, however, is to check if the request is script-like as defined by fetch. Fetch does not define XSLT as a script-like check https://fetch.spec.whatwg.org/#request-destination-script-like, which makes the entire thing a no-op always-allow rule.

Is that the intent here?
@notriddle
Copy link
Author

Stupid. Stupid, stupid, stupid.

There's a big freaking warning right underneath it that says how it's supposed to be used. How did I miss that?!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@notriddle