Re: [Content Security Policy] Proposal to move the debate forward from Brandon Sterne on 2011-01-28 (public-web-security@w3.org from January 2011)

From: Brandon Sterne <bsterne@mozilla.com>
Date: Fri, 28 Jan 2011 14:52:34 -0800
To: gaz Heyes <gazheyes@gmail.com>
CC: public-web-security@w3.org
Message-ID: <4D4348B2.5050100@mozilla.com>

On 1/28/11 2:20 PM, gaz Heyes wrote:
> On 28 January 2011 18:54, Brandon Sterne <bsterne@mozilla.com
> <mailto:bsterne@mozilla.com>> wrote:
> 
>     Care to elaborate on this some more?  What do you mean by "too messy"
>     and in what ways could a "mistake" be made with a policy header that
>     couldn't be equivalently made using the other methods?
> 
> 
> Stuffing a policy into a http header just seems hard work and hard to
> understand.

You're just restating the opinion you gave before.  You'll have to
provide more support for these types of statements if you expect to
persuade anyone.

> What if the dev mistypes a letter for a crucial policy like
> same origin? Maybe it's the syntax it just seems hard to follow for me.

Mistyping a letter in any of the policy delivery mechanisms will have
the same effect.  If the syntax is hard to follow, then we should
address that, but you have to call out specifics.  We can't read your mind.

>  X-Content-Security-Policy: allow 'self'; img-src *; \
>                            object-src media1.com media2.com *.cdn.com; \
>                            script-src trustedscripts.example.com
> 
> Looks a mess to me, does ";" mean end is allow self part of img-src

";" does not mean "end". It separates the policy directives from each
other.  No, allow 'self' is not part of img-src, as indicated by the
separating ";".

> we
> have to include a backslash to separate statements?

No, those backslashes are escaping the newlines that were added for
readability in that particular document.  In practice, headers wouldn't
contain newlines and would be a single (long, in this case) line.

> Why does allow self
> use quotes, yet script-src doesn't?

It is the 'self' keyword that requires single quotes to differentiate it
from the host self (e.g. http://self/).  The directive the 'self'
keyword is used in is irrelevant.

> This is meant to be sent via one
> http header?

Yes.

> Try to look at it from the outside do you really think it
> is easy for someone to implement this in one http header?

Yes.

> BTW you might
> have notice I don't mind being the bad guy and asking tough questions
> about your work, don't take offence I know you've worked hard but things
> move faster if we cut the bull.

I don't take offense.  Don't worry about hurting my feelings.  It isn't
about me, anyway.  The standardization process involves resolving
differing opinions so that's what we're trying to do.

-Brandon

Received on Friday, 28 January 2011 22:53:38 UTC