Bug 113307

Summary:

CSP 1.1: Experiment with 'base-uri' directive.

Product:

WebKit

Reporter:

Mike West <mkwst>

Component:

WebCore Misc.

Assignee:

Mike West <mkwst>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

abarth, eric, esprehn+autocc, jochen, justashar, mkwst+watchlist, ojan.autocc, slightlyoff, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

99318

Bug Blocks:

85558

Attachments:

Description	Flags
Patch	none

Description Mike West 2013-03-26 06:58:59 PDT

https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#base-uri defines a 'base-uri' directive which restricts the valid URIs which can be used to set the document's base URI. In order to feed implementation experience back into the working group, and to get a feel for how the API would work (and whether it addresses the use cases we care about), we should put together an experimental implementation behind the CSP_NEXT flag.

Spec: https://dvcs.w3.org/hg/content-security-policy/rev/4b89c246ea16
Thread: http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0074.html

Comment 1 Mike West 2013-03-26 07:07:06 PDT

Created attachment 195079 [details]
Patch

Comment 2 Mike West 2013-03-26 07:11:40 PDT

Hey Jochen, I'm not sure if you're interested in reviewing CSP patches while Adam's out. If you are, would you mind taking a look at this one? If not, I'll poke Eric later.

This isn't at all high-priority, so no rush. Thanks!

Comment 3 jochen 2013-03-26 07:20:19 PDT

Comment on attachment 195079 [details]
Patch

ok

Comment 4 Mike West 2013-03-26 07:30:19 PDT

Cool. Once the CSP_NEXT bots are happy, I'll CQ the patch.

Comment 5 WebKit Review Bot 2013-03-26 08:25:14 PDT

Comment on attachment 195079 [details]
Patch

Clearing flags on attachment: 195079

Committed r146886: <http://trac.webkit.org/changeset/146886>

Comment 6 WebKit Review Bot 2013-03-26 08:25:17 PDT

All reviewed patches have been landed.  Closing bug.