W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2011

Re: Proposal: CSP "allow-modification" directive

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 9 Dec 2011 10:49:22 -0800
Message-ID: <CAJE5ia-7w2xQks=zBj-97SM=h9fr5mG24jBHUVfRZNujsou7aw@mail.gmail.com>
To: Thomas Roessler <tlr@w3.org>
Cc: Collin Jackson <collin.jackson@sv.cmu.edu>, public-webappsec@w3.org, Eric Chen <eric.chen@sv.cmu.edu>, Rami Shomali <rami.shomali@sv.cmu.edu>, Chinmay Garde <chinmay.garde@sv.cmu.edu>, Yolando Pereira <yolando.pereira@sv.cmu.edu>
If don't keep a tight control over the scope of 1.0, we'll never
finish it.  IMHO, we'll be better off if we ship a narrowly scoped 1.0
quickly and then iterate.  There's a long list of potential directives
that have solid use cases.  The current plan is to collect them on the
wiki and then discuss them for the next iteration.

Adam


On Fri, Dec 9, 2011 at 10:45 AM, Thomas Roessler <tlr@w3.org> wrote:
> I wonder whether this use case can wait till a version 1.1.
>
> Think "ad" instead of "widget".  I think that it's pretty important that CSP is compatible with running ads on the pages it's used to protect.
>
> On 2011-12-09, at 00:39 +0100, Adam Barth wrote:
>> I agree that there's a use case for including third-party widgets in
>> your page without you having to know all the resources that they might
>> include.  It's slightly unclear to me what the best delegation
>> mechanism might be.  For example, you might want to set a bound like
>> "my advertising provider can whitelist hosts for scripting, as long as
>> they always use HTTPS."
>>
>> In any case, I think this is a use case we should think about for CSP
>> 1.1.  I'll add your proposal to the wiki shortly.
>>
>> Adam
>>
>>
>> On Thu, Dec 8, 2011 at 12:06 PM, Collin Jackson
>> <collin.jackson@sv.cmu.edu> wrote:
>>> One problem I see with CSP is that it encourages a one-size-fits-all policy
>>> for an entire site, whereas in reality each page might want different
>>> policies, and a single page might want different policies at different
>>> times. I would like to propose a CSP "allow-modification" directive that
>>> exposes a JavaScript API for adding new CSP directives to the current page.
>>> I envision this would mostly be used by third-party script providers. For
>>> example:
>>>
>>> - Sites can delegate their CSP policy to third-party security companies on a
>>> page-by-page basis. Right now, you can do this on a page-by-page basis with
>>> policy-uri, but it has poor cache performance.
>>> - Third-party ad networks (e.g. DoubleClick) could choose ad servers
>>> dynamically to serve ad content.
>>> - Third-party analytics providers could add and remove report-URIs without
>>> having to get the web site change its server configuration.
>>> - Better support for CSP in single-page web applications where more sources
>>> of content are added over lifetime of a single page (e.g. a streaming news
>>> feed that contains third-party images)
>>>
>>> I don't see a security risk to setting the "allow-modification" directive
>>> (if the attacker could run JavaScript on your site to add a new CSP
>>> directive, they could already steal your cookies and other private data) but
>>> it's probably a good idea to make it opt-in just in case.
>>>
>>> Collin
>>
>>
>
Received on Friday, 9 December 2011 18:50:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 9 December 2011 18:50:30 GMT