W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

CSP 1.1

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 7 May 2012 02:04:36 -0700
Message-ID: <CAJE5ia-9+yAu5pDzbANQB5F-9GLhojeLveo-Y8_5DvfKYZkWRQ@mail.gmail.com>
To: public-webappsec@w3.org
After moving CSP 1.0 to
<http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html>,
I started sketching out some of the features we discussed at the
face-to-face for CSP 1.1.  That text is located at
<http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html>.

Specifically, I've added the following directives, as instructed by
the wiki <http://www.w3.org/Security/wiki/Content_Security_Policy#Proposals_for_Version_1.1>:

* form-action
* sandbox
* script-nonce
* plugin-types
* frame-options

The text for these directives is very rough and really more of a
sketch.  I've marked these directives (with exception of sandbox) as
"experimental."

I've also added back the <meta> element and a script API for querying
the current policy (based on
<https://mikewest.org/2012/05/content-security-policy-feature-detection>).
 These are both also marked "experimental."

The only item on the wiki that I haven't included in this document is
support for more granular (e.g., by directory) sources.  I've held off
on this feature pending our discussion about how to treat sources with
paths in CSP 1.0.

Please don't feel like the above is in any way set in stone.  I just
wrote up what was on the wiki more formally.  If you've got a
directive you think we should include in 1.1, please feel encouraged
to put it on the wiki and to start a thread discussing it.  If you
think any of the above directives should be cut, please feel
encouraged to start a thread on that topic as well.  :)

Adam
Received on Monday, 7 May 2012 09:05:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 May 2012 09:05:38 GMT