W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2011

Re: Proposal: CSP "allow-modification" directive

From: Thomas Roessler <tlr@w3.org>
Date: Fri, 9 Dec 2011 19:45:34 +0100
Cc: Thomas Roessler <tlr@w3.org>, Collin Jackson <collin.jackson@sv.cmu.edu>, public-webappsec@w3.org, Eric Chen <eric.chen@sv.cmu.edu>, Rami Shomali <rami.shomali@sv.cmu.edu>, Chinmay Garde <chinmay.garde@sv.cmu.edu>, Yolando Pereira <yolando.pereira@sv.cmu.edu>
Message-Id: <0E5529E2-32D0-40A0-B1F1-07161BEF3158@w3.org>
To: Adam Barth <w3c@adambarth.com>
I wonder whether this use case can wait till a version 1.1.

Think "ad" instead of "widget".  I think that it's pretty important that CSP is compatible with running ads on the pages it's used to protect.

--
Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)







On 2011-12-09, at 00:39 +0100, Adam Barth wrote:

> I agree that there's a use case for including third-party widgets in
> your page without you having to know all the resources that they might
> include.  It's slightly unclear to me what the best delegation
> mechanism might be.  For example, you might want to set a bound like
> "my advertising provider can whitelist hosts for scripting, as long as
> they always use HTTPS."
> 
> In any case, I think this is a use case we should think about for CSP
> 1.1.  I'll add your proposal to the wiki shortly.
> 
> Adam
> 
> 
> On Thu, Dec 8, 2011 at 12:06 PM, Collin Jackson
> <collin.jackson@sv.cmu.edu> wrote:
>> One problem I see with CSP is that it encourages a one-size-fits-all policy
>> for an entire site, whereas in reality each page might want different
>> policies, and a single page might want different policies at different
>> times. I would like to propose a CSP "allow-modification" directive that
>> exposes a JavaScript API for adding new CSP directives to the current page.
>> I envision this would mostly be used by third-party script providers. For
>> example:
>> 
>> - Sites can delegate their CSP policy to third-party security companies on a
>> page-by-page basis. Right now, you can do this on a page-by-page basis with
>> policy-uri, but it has poor cache performance.
>> - Third-party ad networks (e.g. DoubleClick) could choose ad servers
>> dynamically to serve ad content.
>> - Third-party analytics providers could add and remove report-URIs without
>> having to get the web site change its server configuration.
>> - Better support for CSP in single-page web applications where more sources
>> of content are added over lifetime of a single page (e.g. a streaming news
>> feed that contains third-party images)
>> 
>> I don't see a security risk to setting the "allow-modification" directive
>> (if the attacker could run JavaScript on your site to add a new CSP
>> directive, they could already steal your cookies and other private data) but
>> it's probably a good idea to make it opt-in just in case.
>> 
>> Collin
> 
> 
Received on Friday, 9 December 2011 18:45:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 9 December 2011 18:45:40 GMT