W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Restricting APIs in CSP

From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 2 Nov 2012 13:48:26 +0100
Message-ID: <CABcZeBPHwaZuVED00GpXYAW1X40yVtR_nhaRBzZurPgjSyE9-g@mail.gmail.com>
To: public-webappsec <public-webappsec@w3.org>
I've been starting to wonder if it's worth having a mechanism to restrict
access to APIs in CSP.  A good example here is getUserMedia(),
which allows access to the camera and microphone. It's going to
be possible to set a persistent permission allowing an origin to
access these devices, but you could imagine that a site might
want to restrict that permission to specific pages. This could
obviously be done with domain sharding, but that's gross...

So, you could imagine a CSP directive like:

forbid-function getUserMedia

That would restrict access to getUserMedia.

Other candidates here might be the webcrypto APIs to the extent to
which they allow access to persistent origin-bound keys.


1. Does this sound like a plausible goal to people?
2. Any suggestions about the syntax?

-Ekr
Received on Friday, 2 November 2012 12:49:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 2 November 2012 12:49:35 GMT