Call for Review of Content Security Policy 1.0

The Web Application Security Working Group at the W3C is planning to advance Content Security Policy 1.0 to Candidate Recommendation - a final set of features and syntax - and is seeking wide review of the document at this time.  We would especially value the input of members of the Public Web Security list.



http://www.w3.org/TR/2012/WD-CSP-20120710/



Content Security Policy is a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application restrict from where the application can load resources.



To mitigate XSS, for example, a web application can restrict itself to loading scripts only from known, trusted URIs, making it difficult for an attacker who can inject content into the web application to inject malicious script.



Content Security Policy (CSP) is not intended as a first line of defense against content injection vulnerabilities. Instead, CSP is best used as defense-in-depth, to reduce the harm caused by content injection attacks.



There is often a non-trivial amount of work required to apply CSP to an existing web application. To reap the greatest benefit, authors will need to move all inline script and style out-of-line, for example into external scripts, because the user agent cannot determine whether an inline script was injected by an attacker.



To take advantage of CSP, a web application opts into using CSP by supplying a Content-Security-Policy HTTP header Such policies apply the current resource representation only. To supply a policy for an entire site, the server needs to supply a policy with each resource representation.



Please submit comments to public-webappsec@w3.org<mailto:public-webappsec@w3.org>



Thank you,

Brad Hill

Co-Chair

W3C Web Application Security WG