W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax

From: Lucas Adamski <lucas@mozilla.com>
Date: Fri, 4 Feb 2011 18:40:09 -0800
Cc: public-web-security@w3.org
Message-Id: <88D98A0A-EA19-4B92-A310-76985718D09C@mozilla.com>
To: Terri Oda <terri@zone12.com>
Does "policy-uri" do what you want? https://wiki.mozilla.org/Security/CSP/Specification#Directives

One limitation of policy files is that its creates a lot of overhead if you want to vary the policy from URL to URL... one additional request, and potentially many different policy files to manage across the server.  That may be less of a concern if you assume most sites will only have a single, site-wide policy.  We could pontificate but I doubt we'll know until CSP has been more widely deployed.  
  Lucas.

On Feb 4, 2011, at 1:03 PM, Terri Oda wrote:

> Daniel Veditz wrote:
>> The Mozilla CSP spec avoids commas for this reason, using ';' as
>> delimiters. That way we can split on a comma if found and then
>> intersect the two policies (tightening restrictions). Otherwise
>> there might be a rare attack where if you found a potential victim
>> on a path with a proxy that does that kind of coalescing AND could
>> inject a second header then you could disable or weaken the CSP
>> policy for that site.
> 
> That's actually a really great point and a potential reason for suggesting that we use a header-specific format rather than co-opt any existing one.  Headers are subject to additional restrictions that wouldn't apply to existing languages.  As such, maybe it really does make more sense to have the header link to an external file or have the  policy as stated in the header be a compressed/compiled version of the ones humans would read.
> 
> I vaguely recall that there was a reason a separate policy file was rejected as an idea in previous CSP discussion. I think it might have been that a separate file was deemed excessive due to the original small size of CSP, but now that CSP has been expanded to be more expressive this seems to be less true.  Can anyone refresh our memories as to why and whether those constraints continue to be an issue?
> 
Received on Saturday, 5 February 2011 02:41:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 5 February 2011 02:41:14 GMT