W3C home > Mailing lists > Public > public-web-security@w3.org > March 2012

Re: question regarding client handling of Content-Security-Policy and Content-Security-Policy-Report-Only

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 24 Mar 2012 16:08:33 -0700
Message-ID: <CAJE5ia9ENQhogou53Jh1OxxiUu=-2AVNZbKZndcZTnhQser8HQ@mail.gmail.com>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Cc: public-web-security@w3.org
Hi Tobias,

On Sat, Mar 24, 2012 at 3:05 AM, Tobias Gondrom
<tobias.gondrom@gondrom.org> wrote:
> very nice progress with the CSP and looking forward to this.

Thanks.

> A small comment.
> (In case it's already been dealt with, please my apologies for missing it):
>
> regarding section 3.1.2 Content-Security-Policy-Report-Only Header Field
> says:
> "If a server supplies at least one Content-Security-Policy-Report-Only
> header field in an HTTP response, the server must not supply any
> Content-Security-Policy header fields."

I think you might be reading the TR version of the spec, which doesn't
reflect the latest edits.  That sentence no longer exits in the
lastest version of the spec:

http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html

Specially, it's now ok to supply both a Report-Only and a regular CSP
policy (so that folks can test out new policies in report-only mode
while continuing to use their old policies).

> And on a personal note: I wonder whether it may be useful to stress more
> that it would be strongly recommended to use TLS/SSL channel protection for
> CSP headers to protect their integrity (as with plain http MitM can not only
> read the channel but by injecting a different CSP-header could potentially
> abuse CSP-reporting functionality? What do you think?

That's a good idea.  I'll add something to that effect to the security
considerations section.

Thanks!
Adam
Received on Saturday, 24 March 2012 23:09:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 24 March 2012 23:09:36 GMT