W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Daniel Veditz <dveditz@mozilla.com>
Date: Sat, 29 Jan 2011 19:14:40 -0800
Message-ID: <4D44D7A0.6080701@mozilla.com>
To: gaz Heyes <gazheyes@gmail.com>
CC: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 1/29/11 1:11 AM, gaz Heyes wrote:
> header("X-Content-Security-Policy: allow 'self'; img-src
> www.gmodules.com; script-src *.businessinfo.co.uk;");
> 
> In particular the semi colon, it seems to indicate next statement

Yes, it's just a divider. Order of "directives" (semicolon-delimited
chunks) is unimportant.

> yet how are they related to the "allow" statement.

Think of "allow" as "default-src": it provides the value for any
missing directive. Your policy has an explicit img-src and
script-src so those are what will be used for those types (and you
did not specify 'self' for those so you won't be able to load
scripts from your own site). Any other type of content (stylesheets,
plugins, etc) will be limited to 'self'.

> quoted string is confusing why do we need it for allow when we
> have protocols?

You don't need to use 'self', you can use unquoted mydomain.tld
instead; it's just a shortcut. It's quoted to distinguish it from an
actual machine called self, in the unlikely case there is one. We
toyed with other ways to distinguish keywords from host names,  like
$self, but single quotes is what we settled on.

There's also 'none' if you wish to not have any of a particular type
loaded, e.g. "object-src 'none'"

> c) Having one
> big long line of command is definitely going to introduce errors

If you've got a long/complex policy then an external policyURI is
probably the way to go. If you can get away with the same policy for
your entire site then caching will mitigate the latency issues after
the first page is loaded.

-Dan Veditz
Received on Sunday, 30 January 2011 03:15:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 30 January 2011 03:15:53 GMT