W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

Re: Using CSP

From: Nick Gearls <nickgearls@gmail.com>
Date: Wed, 27 Jul 2011 12:50:39 +0200
Message-ID: <4E2FED7F.9090508@gmail.com>
To: public-web-security@w3.org
Hi Dan,

As I said, you could let the choice the the site owner.
You could have a syntax allowing to add/remove/reset directives.
Ex:
   sript-src +partner.com  -> allow on top of previous settings
   sript-src -partner.com  -> keep previous settings but remove this site
   sript-src partner.com  -> reset settings

Btw, header injection is, I think, not very usual for most sites. And if 
you can do that, that probably means that you can do anything on that 
site, including modify or delete a header, no?

Regards,

Nick

On 27/7/2011 1:56, Daniel Veditz wrote:
> On 7/26/11 3:27 AM, Nick Gearls wrote:
>> 1. Whatever you want, you may use only one header.
>> Whether you want to restrict or to relax a rule in a sub-location,
>> don't bother to try to add a header (or even a directive inside the
>> header), it does not work.
>
> Web developers will certainly want a way to specify a default site
> rule and then allow for spot relaxation/tightening, but
> unfortunately that kind of thing will have to be built into site
> frameworks. If we allow an additional header to relax a rule then
> any header-injection flaw means an attacker can add "default-src *;
> options inline-script;" thereby disabling any CSP protection.
>
> We also wanted to err on the side of being too strict. We can always
> loosen the behavior in the future and keep today's strict policies
> working. If we started out too loose and had to make things more
> strict we'd end up breaking most of our early adopters.
>
> Thanks for your courage trying out CSP at such an early time and
> your feedback is much appreciated!
>
> -Dan Veditz
>
>
>
Received on Wednesday, 27 July 2011 10:49:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 July 2011 10:49:55 GMT