W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2012

[webappsec] CSP META tag support - keep or remove?

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 26 Mar 2012 22:27:51 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E069888@DEN-EXDDA-S12.corp.ebay.com>
On the last conference call, we resolved to remove the policy-uri directive from the CSP 1.0 specification.

One of the suggested alternatives was the META tag.  We currently have only one implementation of META support, so this feature is also in danger.

I'd like to hear opinions on whether we should keep or remove this feature from v 1.0.

My initial take is:

Pro:
* Support static documents loaded by file: , data: or other non-HTTP methods
* Get around header size restrictions for very complex policies
* We have heard reports that the META tag is used to delay policy enforcement: to pre-load some resources outside of CSP restrictions, then inject it into a page to "lock it down".  If this is to be a supported use-case, I think we need to update the spec to make this very explicit.

Con:
* META policies can be overridden in the case of a header injection vulnerability. (though that is usually a game-over vulnerability, anyway, given HTTP response splitting possibilities)
* META policies significantly complicate the task of intermediaries who may wish to inspect resources for CSP compliance and inject/combine additional policy tokens, especially if the tag can appear anywhere in a resource

Thoughts?

Brad Hill
Received on Monday, 26 March 2012 22:28:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 26 March 2012 22:28:29 GMT