W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

CSP 1.0

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 7 May 2012 01:54:54 -0700
Message-ID: <CAJE5ia_5hEt6phA3PipSHce246wf1AwzTyhncagrLe_sNo--UQ@mail.gmail.com>
To: public-webappsec@w3.org
tl;dr: CSP 1.0 is now located at
http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html
and contains the changes discussed at the face-to-face.


Based on the discussion at the recent face-to-face, I've made the
following changes:

1) I've included Brad Hill's advice to server operators:

http://dvcs.w3.org/hg/content-security-policy/rev/eea1c214cc85

I made an editorial pass over Brad's text to address a bunch of nits
(e.g., only using "may" in the normative sense).  Hopefully I haven't
butchered his text too badly.  Feedback welcome.  :)

2) Somewhat more controversially, I've changed the behavior when the
user agent receives more than one policy.  At the face-to-face, we
discussed having the user agent enforce a policy of default-src 'none'
in this case, but during the test jam, I realized that user agents are
going to need to implement policy combination anyway to deal with
vendor prefixes.  Given that user agents are going to need to
implement policy combination, it's more sensible for user agents to
enforce all for the policies they receive rather than failing in an
obnoxious way:

http://dvcs.w3.org/hg/content-security-policy/rev/96603653094a

Note: The document still forbids servers from sending more than one
Content-Security-Policy header.  IMHO, that's still a good idea
because intermediaries can still combine or otherwise mangle multiple
instances of the same header field.  I've added some explanatory text
around this topic.

Obviously, your thoughts on this topic are most welcome.

3) As discussed at the face-to-face, the spec now requires user agents
to enforce the policy default-src 'none' if they encounter a CSP
policy with a comma:

http://dvcs.w3.org/hg/content-security-policy/rev/7e995988d564

Such a policy is likely the result of network intermediaries mangling
the policy.

4) As discussed at the face-to-face, I've removed the sandbox
directive from CSP 1.0:

http://dvcs.w3.org/hg/content-security-policy/rev/dd1f7a1cd84f

Fear not, sandbox fans.  The sandbox directive now appears in CSP 1.1
(see my next email).

5) I've also made a few editorial cleanups (see the Hg log for details
if you care).

6) Finally, I've moved the CSP 1.0 spec to
<http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html>.
 Hopefully we'll be able to stabilize this document and ship CSP 1.0
in short order.

Thanks all,
Adam
Received on Monday, 7 May 2012 08:56:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 May 2012 08:56:04 GMT