Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Content-Security-Policy for URLs #59

Open
notriddle opened this issue Sep 28, 2017 · 2 comments
Open

Content-Security-Policy for URLs #59

notriddle opened this issue Sep 28, 2017 · 2 comments

Comments

@notriddle
Copy link
Member

notriddle commented Sep 28, 2017

https://github.com/notriddle/ammonia/issues/57#issuecomment-332423056

Just to be clear:

  • The UrlRelative setting is just for resolving URLs. It is not an all-encompassing filter; it does nothing to absolute URLs.
  • Some people want the ability to filter all allowed URLs. And it seems sensible to just implement the same Content-Security-Policy language that browsers already implement, especially since it means the same definition can be shared between both.
@notriddle
Copy link
Member Author

notriddle commented Sep 29, 2017

Before I can decide if this needs to go in at 1.0 or if it should be delayed until after 1.0 is released, we need to answer the question of whether there should be a Content-Security-Policy by default.

I think the answer's no, since the default setting blocks all CSS and JavaScript, while CSP is a way to restrict where CSS and JavaScript come from (as well as images, multimedia, objects, fonts, and a few other things that can usually be safely loaded from anywhere anyway).

@notriddle
Copy link
Member Author

https://github.com/notriddle/rust-content-security-policy/

Unless somebody knows of a Content-Security-Policy parser. I couldn't find one after a brief search of Crates.IO.

@notriddle notriddle added this to the 1.1 milestone Oct 6, 2017
@notriddle notriddle removed this from the 1.1 milestone Jul 18, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant