W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 28 Jan 2011 10:19:22 +0000
Message-ID: <AANLkTimCozNjFGNuVKmJjKnoVtLB+033pW=4SVfcRzMP@mail.gmail.com>
To: Brandon Sterne <bsterne@mozilla.com>
Cc: public-web-security@w3.org
On 27 January 2011 16:54, Brandon Sterne <bsterne@mozilla.com> wrote:

> 6. Policy delivery
>   a. HTTP header
>   b. <meta> (or <link>) tag, to be superseded by header if present
>   c. policy-uri: a URI from which the policy will be fetched; can be
>      specified in either header or tag
>

a) Policy shouldn't be defined in a http header it's too messy and what
happens when there's a mistake?

b) As discussed on the list there is no need to have a separate method as it
can be generated by an attacker. If a policy doesn't exist then an attacker
can now DOS the web site via meta.

c) We have a winner, a http header specifying a link to the policy file is
the way to go IMO, my only problem with it is devs implementing it. Yes
facebook would and probably twitter would but Dave's tea shop wouldn't pay
enough money to hire a web dev who knew how to implement a custom http
header yet they would know how to validate HTML. So the question is are we
bothered about little sites that are likely to have nice tea and XSS holes?
If so I suggest updating the HTML W3C validator to require a security policy
to pass validation if not I suggest a policy file delivered by http header.
Received on Friday, 28 January 2011 10:19:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 10:19:55 GMT