W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

CSP script interface suggestion.

From: Mike West <mkwst@google.com>
Date: Fri, 1 Jun 2012 20:43:35 +0200
Message-ID: <CAKXHy=fV2zp=ETrSAPjtno24caa-JVOvYtxJnLQSmfW7dU2ATA@mail.gmail.com>
To: public-webappsec@w3.org
I've taken a stab at a WebKit implementation of the experimental CSP script
interface as currently specified in the 1.1 draft, and have a suggestion
for improvement based on that experience.

Specific query methods for each of the relevant types that CSP deals with
seem simpler to deal with than the current structure. The
`SecurityPolicy.isWhitelisted` method does too much at the moment, and
requires developers to know too much about how CSP actually works. Asking
"Can I run inject a script block onto this page?" requires a developer to
understand the directive is named `script-src`, and that the specific value
they should test for is 'unsafe-inline'. That's probably too much to
ask. Something like `SecurityPolicy.allowInlineScript()` would be more
straightforward, as would `SecurityPolicy.allowEval()` and
`SecurityPolicy.allowScriptFrom([URL])` and so on.

If you're curious, the IDL file I'm running with at the moment is
https://github.com/mikewest/webkit/blob/csp11domapi/Source/WebCore/page/DOMSecurityPolicy.idl,
and you can see some usage examples in the `securitypolicy-*` tests under
https://github.com/mikewest/webkit/tree/csp11domapi/LayoutTests/http/tests/security/contentSecurityPolicy

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Friday, 1 June 2012 18:44:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 June 2012 18:44:26 GMT