W3C home > Mailing lists > Public > public-web-security@w3.org > October 2011

Re: CSP advocacy group??

From: Brandon Sterne <bsterne@mozilla.com>
Date: Wed, 19 Oct 2011 11:25:16 -0700
Message-ID: <4E9F160C.90801@mozilla.com>
To: "Michael A. Peters" <mpeters@domblogger.net>
CC: public-web-security@w3.org
On 10/18/11 6:09 PM, Michael A. Peters wrote:
> I'm not that font of the 'unsafe-inline' directive as there is no way
> for a web browser to differentiate between injected script/style and
> what is legitimate. Using external CSS/Script and forbidding inline
> makes it for browsers to differentiate.

You're preaching to the choir.  Your point about using external script
and CSS is fundamental to the whole CSP model.

My suggestion was to add 'unsafe-inline' to the style-src directive,
which does not remove restrictions on inline _script_.  You asked about
a particular use case and I suggested a way to support it under CSP.
I'm not sure what else to tell you.

> With respect to the iframe, I was under the impression the iframe had to
> minimally conform to the same policy as it's parent document. I guess I
> am wrong there, though that is how I would think it should be.

Your understanding is wrong.  A policy applies only to the top-level
document.  If you applied the policy to all the sub-frames, one
potential bad side effect would be preventing frame-busting scripts (or
other features) from loading.

If a site wants to apply a CSP to the document in the sub-frames, they
must serve a CSP header with the frame response.  This obviously implies
that they control the content there as well.  While there are certain
valid cases where it would be "nice" to apply a policy all the way down
through a frame tree, we fundamentally cannot allow a site to impose a
security policy on another site, hence the need for each document to
opt-in by serving its own policy.

-Brandon
Received on Wednesday, 19 October 2011 18:25:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 19 October 2011 18:25:47 GMT