On 29 July 2013 17:47, Stefan Arentz <sare...@mozilla.com> wrote:
> Can CSP play a role here?
>
> What if my site is on https://foo.com and I set connect-src to http://foo.com
> ? Would that override the mixed content blocking? If not, is that something
> we should implement?
>
Interesting idea. I'm pretty sure we don't do this now (remembering
the code; untested). Indeed, the idea of CSP is for a page to lock
down the external sources, not open them up.
Rather than setting a CORS-style header on the WebSocket resource
("X-Access-Control-Security: externally-verifiable"), we could make a
new CSP header for the hosting page ("X-Content-Security-Policy-Allow:
connect-src 'http-self'") to add in extra policy options for the page.
It's hard to say which is better. Perhaps the per-resource CORS
approach is preferable.
Nicholas
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
