ammonia icon indicating copy to clipboard operation
ammonia copied to clipboard
verified publisher icon rust-ammonia

Content-Security-Policy for URLs

Open notriddle opened this issue 8 years ago • 2 comments

https://github.com/notriddle/ammonia/issues/57#issuecomment-332423056

Just to be clear:

  • The UrlRelative setting is just for resolving URLs. It is not an all-encompassing filter; it does nothing to absolute URLs.
  • Some people want the ability to filter all allowed URLs. And it seems sensible to just implement the same Content-Security-Policy language that browsers already implement, especially since it means the same definition can be shared between both.

notriddle avatar Sep 28 '17 19:09 notriddle

Before I can decide if this needs to go in at 1.0 or if it should be delayed until after 1.0 is released, we need to answer the question of whether there should be a Content-Security-Policy by default.

I think the answer's no, since the default setting blocks all CSS and JavaScript, while CSP is a way to restrict where CSS and JavaScript come from (as well as images, multimedia, objects, fonts, and a few other things that can usually be safely loaded from anywhere anyway).

notriddle avatar Sep 29 '17 19:09 notriddle

https://github.com/notriddle/rust-content-security-policy/

Unless somebody knows of a Content-Security-Policy parser. I couldn't find one after a brief search of Crates.IO.

notriddle avatar Oct 02 '17 02:10 notriddle