W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

Re: CSP script interface suggestion.

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 1 Jun 2012 11:49:06 -0700
Message-ID: <CAJE5ia9_QAswRCzrzHxUHfFjOX44yw=9VV5D++NzzCxsEWjD0Q@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: public-webappsec@w3.org
By the way, this new approach aligns with Robert O'Callahan's
recommendations on web API design:

http://robert.ocallahan.org/2012/05/canvas-getcontext-mistake.html

Adam


On Fri, Jun 1, 2012 at 11:43 AM, Mike West <mkwst@google.com> wrote:
> I've taken a stab at a WebKit implementation of the experimental CSP script
> interface as currently specified in the 1.1 draft, and have a suggestion for
> improvement based on that experience.
>
> Specific query methods for each of the relevant types that CSP deals with
> seem simpler to deal with than the current structure. The
> `SecurityPolicy.isWhitelisted` method does too much at the moment, and
> requires developers to know too much about how CSP actually works. Asking
> "Can I run inject a script block onto this page?" requires a developer to
> understand the directive is named `script-src`, and that the specific value
> they should test for is 'unsafe-inline'. That's probably too much to
> ask. Something like `SecurityPolicy.allowInlineScript()` would be more
> straightforward, as would `SecurityPolicy.allowEval()` and
> `SecurityPolicy.allowScriptFrom([URL])` and so on.
>
> If you're curious, the IDL file I'm running with at the moment
> is https://github.com/mikewest/webkit/blob/csp11domapi/Source/WebCore/page/DOMSecurityPolicy.idl,
> and you can see some usage examples in the `securitypolicy-*` tests
> under https://github.com/mikewest/webkit/tree/csp11domapi/LayoutTests/http/tests/security/contentSecurityPolicy
>
> --
> Mike West <mkwst@google.com>, Developer Advocate
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Friday, 1 June 2012 18:50:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 June 2012 18:50:09 GMT