Re: some CSP features on by default or not ? (was: Re: CSP Directive Proposal: Sandbox) from Adam Barth on 2011-02-25 (public-web-security@w3.org from February 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 25 Feb 2011 15:17:47 -0800
To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Cc: W3C Web Security Interest Group <public-web-security@w3.org>
Message-ID: <AANLkTin6ofTvGumigv_R7N990465NoF0WvnT76onUDJg@mail.gmail.com>

On Fri, Feb 25, 2011 at 1:43 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
> AdamB said on Wed, 23 Feb 2011 21:18:26 -0800
>>
>> On Wed, Feb 23, 2011 at 5:18 PM, Brandon Sterne <bsterne@mozilla.com>
>> wrote:
>>
>>> I see your comments suggesting this change and Collin's supporting them.
>>>  I don't see how you got from there to "this group".  I'm not saying the
>>> suggested change is without merit, but there is a case to be made
>>> against it which Dan brought up.  I think the debate is still open.
>>
>> Fair enough.  Perhaps we should continue the discussion in the other
>> thread.
>
> The other thread, and the four relevant msgs therein, are...
>
> Re: JavaScript URLs and script-src nit
> http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0096.html
> http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0097.html
> http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0098.html
> http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0113.html
>
> ..tho retitling it (or just carrying over into this thread) may be a good
> idea.

Thanks Jeff.

I think this question boils down to how general purpose we want CSP
policies to be.  For example, would we rather have yet another one-off
HTTP header for something like From-Origin:

http://annevankesteren.nl/2011/02/from-origin

or should that just be a CSP directive:

Content-Security-Policy: restrict-embedding-to *.example.com

(module naming)?.  If CSP comes with a lot of baggage, that's going to
lead to a proliferation of these sorts of headers.  On the other hand,
which seems unfortunate.

Adam


>>> On 02/22/2011 07:41 PM, Adam Barth wrote:
>>>>
>>>> Oh, I meant this group.
>>>>
>>>> Adam
>>>>
>>>>
>>>> On Tue, Feb 22, 2011 at 6:24 PM, Daniel Veditz <dveditz@mozilla.com>
>>>> wrote:
>>>>
>>>>> I haven't seen any consensus forming on that, maybe Adam's "we"
>>>>> means webkit.
>>>>>
>>>>> On 2/22/11 1:31 AM, sird@rckc.at wrote:
>>>>>
>>>>>> Oh, I wasn't aware that the "default-do-noting" was really happening.
>>>>>>
>>>>>> -- Eduardo
>>>>>>
>>>>>> On Tue, Feb 22, 2011 at 1:16 AM, Adam Barth <w3c@adambarth.com> wrote:
>>>>>>
>>>>>>> I don't think the situation is as tricky as you make it out to be,
>>>>>>> especially if we go the route of an empty CSP policy not implying
>>>>>>> inline script restrictions, which seems likely.
>>>>>>>
>>>>>>> Adam
>
>
>

Received on Friday, 25 February 2011 23:24:39 UTC