W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: CSP 1.1: More granular source list definitions.

From: Mike West <mkwst@google.com>
Date: Tue, 3 Jul 2012 14:23:08 -0500
Message-ID: <CAKXHy=eqN=Kw5aQbP4QaOT+pCwrG48jOa0B9ohFybnGFywjsPQ@mail.gmail.com>
To: Odin HÝrthe Omdal <odinho@opera.com>
Cc: public-webappsec@w3.org
Note that WebKit only started complying with CSP 1.0's spec on this point
about two weeks ago (http://trac.webkit.org/changeset/120540). Prior to
that point, it was (silently) erroring off on the whole source.

Given that history, we might have success at preparing the way for
granularity in 1.1 by adding a warning to 1.0 implementations now, noting
that the path component is being ignored. That would be lighter-weight than
a version component.

-mike

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 MŁnchen, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Mon, Jul 2, 2012 at 6:45 AM, Odin HÝrthe Omdal <odinho@opera.com> wrote:

> On Fri, 22 Jun 2012 11:31:41 +0200, Mike West <mkwst@google.com> wrote:
>
>> One of the proposals for CSP 1.1 is additional granularity in source
>> paths (http://www.w3.org/Security/**wiki/Content_Security_Policy#**
>> Proposals_for_Version_1.1<http://www.w3.org/Security/wiki/Content_Security_Policy#Proposals_for_Version_1.1>).
>> I think this additional granularity is well worth perusing
>>
>
> I think so too. There's many places in CSP that I think it's a bit too
> granular and rather too complex IMHO, but this case seems a quite common
> way to give some additional security to smaller sites.
>
> In fact, it was also the first thing that came up when I talked with
> hackers making a small locally hosted image gallery software.
>
> You can work around it by having a userfiles domain, but it would
> complicate the setup procedure immensely.
>
>
>
> The problem with how the spec is doing things now (throwing away path
> component) is that sites using CSP (1.0) will no doubt have errors. They'll
> write script-src: http://my-site.com/js/ and use scripts from js, except
> for that one time they use one on /my-demo/js.js and it works anyway so
> they actually don't think about it.
>
> So if CSP 1.0 is allowed to live a long time in a browser, the behavior we
> have now might actually be mandatory for site-compat.
>
> --
> Odin HÝrthe Omdal (Velmont/odinho) ∑ Core, Opera Software,
> http://opera.com
>
>
Received on Tuesday, 3 July 2012 19:24:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2012 19:24:01 GMT