W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: CSP transitivity and connect-src question

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 1 May 2012 10:25:26 -0700
Message-ID: <CAJE5ia_o3a4hVW=vCnp0buQM=oKvt2zn3cnpHRyaR0eDcEGBLA@mail.gmail.com>
To: Nataliia Bielova <Nataliia.Bielova@inria.fr>
Cc: public-webappsec@w3.org
On Wed, Apr 25, 2012 at 8:18 AM, Nataliia Bielova <Nataliia.Bielova@inria.fr
> wrote:

> Dear WebApp Security Group,
>
> I would like to ask a couple of questions about CSP (I'm reading the W3C
> Editor's Draft [1] of 25 April 2011), maybe some of them are not correct,
> in that case I would like to ask you to let me know. I am looking forward
> to getting your answers:
>
> 1. Is CSP transitive? Imagine a web page at a.com that has a CSP
> containing only one allowed resource "frame-src: b.com". Letís assume
> that b.com has a CSP containing "script-src: c.com". Now, once a frame
> from b.com has been loaded, can it load and execute a script from c.com?
> It seems that CSP does not forbids that because there is no explicit
> "redirection".
>

CSP affects only the current frame.  The b.com frame is restricted by only
it's policy, not the policy of a.com.


>  Think about the same setting in ECMAScript-6, where the "import"
> directive will be introduced -- then one script can load another script and
> so on, how will CSP deal with that?
>

The import directive likely should respect script-src.


> 2. Imagine now that a web page contains CSP with "connect-src: x.com". Is
> it correct that the open() method of XMLHttpRequest and the other two
> constructors in the specification are allowed to actually make HTTP
> requests to y.com, but the user agent must act as if it received an empty
> HTTP response?
>

Correct.  It's treated like a network error.  We use this approach for
consistency with the other directives (e.g., img-src).

Adam
Received on Tuesday, 1 May 2012 17:26:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 May 2012 17:26:30 GMT