W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

RE: CSP 1.1 - capability advertisement and sandbox directive

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 8 May 2012 20:37:35 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E0D19CC@DEN-EXDDA-S12.corp.ebay.com>
Not for todays' call, but to put this out there for later follow-up before I forget:

In the context of capability advertisement, it seems to me that the sandbox directive has a different set of requirements from the other directives. Namely, the other directives are intended to apply a voluntary least-privilege policy to content the creator of the policy presumes is at least mainly under their own control.  Whereas the use cases for sandbox assume from the start that the content is perhaps somewhat unsafe.  

In the best-effort case, a DOM API seems to be a sensible way to query the resource's effective policy and capabilities. In the sandbox case, it seems much more likely that a server would need to know in advance of returning the resource whether these capabilities are supported by the user agent.  

E.g., return the document directly if origin is supported, but redirect and serve the resource from a unique origin, set script-src='none' or refuse to send the resource entirely if not.   Querying in the DOM is too late.

I wonder if the IE folks can discuss what approach they're taking to this?  User-agent sniffing?  Advertising capabilities in a browser-sent header? 

Do sandbox capabilities in CSP still have meaningful use-cases and customers without capability advertisement to the server, instead of just in the client context?

-Brad

> -----Original Message-----
> From: Adam Barth [mailto:w3c@adambarth.com]
> Sent: Monday, May 07, 2012 2:05 AM
> To: public-webappsec@w3.org
> Subject: CSP 1.1
> 
> After moving CSP 1.0 to
> <http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-
> specification.html>,
> I started sketching out some of the features we discussed at the face-to-face
> for CSP 1.1.  That text is located at <http://dvcs.w3.org/hg/content-security-
> policy/raw-file/tip/csp-specification.dev.html>.
> 
> Specifically, I've added the following directives, as instructed by the wiki
> <http://www.w3.org/Security/wiki/Content_Security_Policy#Proposals_for_
> Version_1.1>:
> 
> * form-action
> * sandbox
> * script-nonce
> * plugin-types
> * frame-options
> 
> The text for these directives is very rough and really more of a sketch.  I've
> marked these directives (with exception of sandbox) as "experimental."
> 
> I've also added back the <meta> element and a script API for querying the
> current policy (based on <https://mikewest.org/2012/05/content-security-
> policy-feature-detection>).
>  These are both also marked "experimental."
> 
> The only item on the wiki that I haven't included in this document is support
> for more granular (e.g., by directory) sources.  I've held off on this feature
> pending our discussion about how to treat sources with paths in CSP 1.0.
> 
> Please don't feel like the above is in any way set in stone.  I just wrote up
> what was on the wiki more formally.  If you've got a directive you think we
> should include in 1.1, please feel encouraged to put it on the wiki and to
> start a thread discussing it.  If you think any of the above directives should
> be cut, please feel encouraged to start a thread on that topic as well.  :)
> 
> Adam
Received on Tuesday, 8 May 2012 20:38:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 May 2012 20:38:07 GMT