W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 27 Jan 2011 14:06:09 -0800
Message-ID: <AANLkTi=38982epRRi695So2g9EAG+uNJVrFSqC8-z70p@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On Thu, Jan 27, 2011 at 1:55 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote:
>> 1) My site is entirely served over HTTPS, but my developers keep
>> including mixed content by mistake.  I wish I could set a policy for
>> my site that prevented me accidentally loading insecure content.
>
> I think it's more complicated than that; it may be unacceptable to
> include content simply from domains you don't control, or have no
> assurances about: if you are a bank, you do not want any image or
> stylesheet on your website to be replaced by "h4x0red by p1gZ" due to
> a developer mistake.
>
> I am not sure it's a problem that should be fixed on browser level;
> but in terms of complexity, browser is definitely one of the most
> attractive and reliable points (compared to, for example, server-side
> auditing). And if there is a consensus that it's worth doing (?), then
> doing it as a part of CSP probably makes more sense than devising a
> separate mechanism.

To re-state your use case:

2) My site has a policy that we can only include content from certain
trusted providers (e.g., our CDN, Amazon S3), but my developers keep
adding dependencies on sites I don't trust.  I wish I could set a
policy for my site that prevented me from accidentally loading
resources outside my whitelist.

BTW, I've stated a wiki page to record these use cases:

http://www.w3.org/Security/wiki/Use_Cases_for_Content_Security_Policies

Please feel free to add more and/or make that page more beautiful.

Adam
Received on Thursday, 27 January 2011 22:07:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 27 January 2011 22:07:16 GMT