Re: [Content Security Policy] Proposal to move the debate forward from gaz Heyes on 2011-01-28 (public-web-security@w3.org from January 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 28 Jan 2011 22:20:29 +0000
To: Brandon Sterne <bsterne@mozilla.com>
Cc: public-web-security@w3.org
Message-ID: <AANLkTinu8NH1LQOmgaMukYsmkekESsPMKrBFGodk=OU4@mail.gmail.com>

On 28 January 2011 18:54, Brandon Sterne <bsterne@mozilla.com> wrote:

> Care to elaborate on this some more?  What do you mean by "too messy"
> and in what ways could a "mistake" be made with a policy header that
> couldn't be equivalently made using the other methods?
>

Stuffing a policy into a http header just seems hard work and hard to
understand. What if the dev mistypes a letter for a crucial policy like same
origin? Maybe it's the syntax it just seems hard to follow for me.

> > c) We have a winner, a http header specifying a link to the policy file
> > is the way to go IMO, my only problem with it is devs implementing it.
> > Yes facebook would and probably twitter would but Dave's tea shop
> > wouldn't pay enough money to hire a web dev who knew how to implement a
> > custom http header yet they would know how to validate HTML. So the
> > question is are we bothered about little sites that are likely to have
> > nice tea and XSS holes? If so I suggest updating the HTML W3C validator
> > to require a security policy to pass validation if not I suggest a
> > policy file delivered by http header.
>
> I don't really follow the logic of this section (aren't HTTP headers
> "messy"?), but I do think that a success criteria for the model should
> be that it is simple enough to be implemented by large and small sites
> alike.
>

 X-Content-Security-Policy: allow 'self'; img-src *; \
                           object-src media1.com media2.com *.cdn.com; \
                           script-src trustedscripts.example.com

Looks a mess to me, does ";" mean end is allow self part of img-src, we have
to include a backslash to separate statements? Why does allow self use
quotes, yet script-src doesn't? This is meant to be sent via one http
header? Try to look at it from the outside do you really think it is easy
for someone to implement this in one http header? BTW you might have notice
I don't mind being the bad guy and asking tough questions about your work,
don't take offence I know you've worked hard but things move faster if we
cut the bull.

Received on Friday, 28 January 2011 22:21:02 UTC