W3C home > Mailing lists > Public > public-web-security@w3.org > May 2011

Re: CSP and jsonp callbacks

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 31 May 2011 12:00:02 -0700
Message-ID: <4DE53AB2.9020105@mozilla.com>
To: sird@rckc.at
CC: Eduardo Vela <sirdarckcat@gmail.com>, public-web-security@w3.org, masatokinugawa@gmail.com
On 5/30/11 10:37 AM, Eduardo Vela wrote:
> Could it be possible to whitelist specific files, instead of complete
> origins? Maybe even global expressions (e.g.
> www.youtube.com/scripts/*.js)?

It's a valid suggestion, left out of the current implementation in
the interests of simplicity and incrementalism. It is easy to add in
the future but hard to take out once supported.

CSP as it stands will work in some situations and maybe not quite as
well in others. Sites that use YouTube and CSP are no worse off than
they already are without CSP, and CSP greatly limits the attack
surface in general.

I'd like to let CSP go forward with the current site-level
whitelisting and collect feedback from sites who have deployed it.
It should become clear whether we need the added feature or not.

In the present we should make sure "host[:port]/" is ignored as
invalid (but not invalidating the entire policy, of course) so we
can use the presence of the '/' to distinguish the two cases in the
future.

> I think forcing the right Content-Type for scripts might be the best
> solution, and maybe a rule to override this behavior, comments?

I supported this, a bit disappointed it has been dropped. It may not
have helped much if people had to override the behavior most of the
time.

-Dan Veditz
Received on Tuesday, 31 May 2011 19:00:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 31 May 2011 19:00:40 GMT