https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#base-uri defines a 'base-uri' directive which restricts the valid URIs which can be used to set the document's base URI. In order to feed implementation experience back into the working group, and to get a feel for how the API would work (and whether it addresses the use cases we care about), we should put together an experimental implementation behind the CSP_NEXT flag. Spec: https://dvcs.w3.org/hg/content-security-policy/rev/4b89c246ea16 Thread: http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0074.html
Created attachment 195079 [details] Patch
Hey Jochen, I'm not sure if you're interested in reviewing CSP patches while Adam's out. If you are, would you mind taking a look at this one? If not, I'll poke Eric later. This isn't at all high-priority, so no rush. Thanks!
Comment on attachment 195079 [details] Patch ok
Cool. Once the CSP_NEXT bots are happy, I'll CQ the patch.
Comment on attachment 195079 [details] Patch Clearing flags on attachment: 195079 Committed r146886: <http://trac.webkit.org/changeset/146886>
All reviewed patches have been landed. Closing bug.