Open bakkot opened 4 years ago
Are there detailed tests for this? What browsers do probably influences to what extent this can be cleaned up.
There do not appear to be any tests for base-uri
directives which contain anything other than a single fully qualified URL.
(In general the behavior for unusual CSPs is very poorly specified and even more poorly tested.)
The value for
base-uri
is aserialized-source-list
, which means that, for example,base-uri 'unsafe-eval'
is legal.By contrast, the value
frame-ancestors
is anancestor-source-list
, which is exactly likeserialized-source-list
except that it only takes hosts, schemes, or'self'
, or'none'
.In both cases the only operation performed is Does url match source list in origin with redirect count?, which is only concerned with hosts, schemes, and
'self'
. In neither case is there a fallback to any other directive. So why do they have different grammars?(
navigate-to
similarly only cares about URLs except that it also allows'unsafe-allow-redirects'
, which is technically akeyword-source
, but is used only bynavigate-to
.)