W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: An urge for CSP META tag in 1.0

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 01 May 2012 11:45:28 -0700
Message-ID: <4FA02F48.6080806@mozilla.com>
To: John Wilander <john.wilander@owasp.org>
CC: public-webappsec@w3.org
On 4/27/12 2:18 AM, John Wilander wrote:
> Here are my arguments for bringing support for CSP in meta tags back
> into 1.0:
> 
>  1. *Ease of adoption over "perfect" security*.

For the developers who want to use CSP meta tag support is a win: it
allows CSP use in many more situations such as those you presented
in your points 2-4. Combining a content-injection protection policy
in the content it's trying to protect carries risk that the policy
might be subverted, but I get your argument that it's better than
"perfect but not deployed".

My main concern is that supporting the meta tag turns CSP into a
weapon that can be used against sites who know nothing about CSP and
are not trying to protect against it. They may have simple filters
trying to block <script> tags and on* event handlers, and get
broadsided by a <meta> tag that selectively turns off some of the
scripts that are essential to the page -- think of some of the
attacks on the early versions of IE XSS protection.

We should not be adding a "security" feature that makes existing
pages less secure if they have not opted into it.

-Dan Veditz
Received on Tuesday, 1 May 2012 18:46:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 May 2012 18:46:05 GMT