W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax

From: Terri Oda <terri@zone12.com>
Date: Fri, 04 Feb 2011 16:03:35 -0500
Message-ID: <4D4C69A7.2090303@zone12.com>
To: public-web-security@w3.org
Daniel Veditz wrote:
> The Mozilla CSP spec avoids commas for this reason, using ';' as
> delimiters. That way we can split on a comma if found and then
> intersect the two policies (tightening restrictions). Otherwise
> there might be a rare attack where if you found a potential victim
> on a path with a proxy that does that kind of coalescing AND could
> inject a second header then you could disable or weaken the CSP
> policy for that site.

That's actually a really great point and a potential reason for 
suggesting that we use a header-specific format rather than co-opt any 
existing one.  Headers are subject to additional restrictions that 
wouldn't apply to existing languages.  As such, maybe it really does 
make more sense to have the header link to an external file or have the 
  policy as stated in the header be a compressed/compiled version of the 
ones humans would read.

I vaguely recall that there was a reason a separate policy file was 
rejected as an idea in previous CSP discussion. I think it might have 
been that a separate file was deemed excessive due to the original small 
size of CSP, but now that CSP has been expanded to be more expressive 
this seems to be less true.  Can anyone refresh our memories as to why 
and whether those constraints continue to be an issue?
Received on Friday, 4 February 2011 21:04:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 4 February 2011 21:04:06 GMT