W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

Re: Using CSP

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 26 Jul 2011 16:56:29 -0700
Message-ID: <4E2F542D.9040609@mozilla.com>
To: nickgearls@gmail.com
CC: public-web-security@w3.org
On 7/26/11 3:27 AM, Nick Gearls wrote:
> 1. Whatever you want, you may use only one header.
> Whether you want to restrict or to relax a rule in a sub-location,
> don't bother to try to add a header (or even a directive inside the
> header), it does not work.

Web developers will certainly want a way to specify a default site
rule and then allow for spot relaxation/tightening, but
unfortunately that kind of thing will have to be built into site
frameworks. If we allow an additional header to relax a rule then
any header-injection flaw means an attacker can add "default-src *;
options inline-script;" thereby disabling any CSP protection.

We also wanted to err on the side of being too strict. We can always
loosen the behavior in the future and keep today's strict policies
working. If we started out too loose and had to make things more
strict we'd end up breaking most of our early adopters.

Thanks for your courage trying out CSP at such an early time and
your feedback is much appreciated!

-Dan Veditz
Received on Tuesday, 26 July 2011 23:57:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 26 July 2011 23:57:07 GMT