W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Gervase Markham <gerv@mozilla.org>
Date: Tue, 01 Feb 2011 09:45:41 +0000
Message-ID: <4D47D645.4070803@mozilla.org>
To: Adam Barth <w3c@adambarth.com>
CC: Lucas Adamski <ladamski@mozilla.com>, public-web-security@w3.org
On 31/01/11 17:03, Adam Barth wrote:
>> If you have a proposal for a policy syntax and mechanism which doesn't have
>> this problem, let's hear it :-)
>
> The "minimal edit distance" proposal from CSP would be to let folks
> use the "script-src" directive without using the "allow" directive.
> For example, we could make the following a valid policy:
>
> Content-Security-Policy: script-src example.com
>
> We could then later decide that "allow" was a valid directive.  Now,
> I'm not sure that's the optimum path (and there are some details
> w.r.t. plug-ins), but it at least plausibly proves the concept.

In the current proposal, this is equivalent to:

Content-Security-Policy: allow *; script-src example.com

If you want to implement CSP, in the first instance, such that all 
"allow" values are treated as "*", i.e. you don't respect the 
restrictions anywhere except for script-src, I can't see a problem with 
that. Well, there's the problem that users of your browser won't be 
getting all the benefit of the policy the site has defined, but 
presumably you accept that :-) But there's no compatibility problem; you 
can start respecting them later if you want.

The only difference between your proposal and ours is that because allow 
defaults to 'none', CSP as it stands would require 'allow <something>' 
on every policy, whereas yours does away with that. But I'm not seeing 
that as an enormous simplification.

(We went backwards and forwards on whether allow should default to 
'none' or *. I wish we'd written down the arguments on both sides. 
Perhaps Brandon or Lucas can remember some of them. If it defaulted to 
*, then our proposals would be equivalent.)

Gerv
Received on Tuesday, 1 February 2011 09:46:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 February 2011 09:46:19 GMT