W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

RE: [webappsec] Call for Consensus: CSP 1.1 to FPWD

From: Fred Andrews <fredandw@live.com>
Date: Tue, 27 Nov 2012 23:45:53 +0000
Message-ID: <BLU002-W64077A92931013C121B25FAA5E0@phx.gbl>
To: "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Dear Brad,

Using a <meta> element for the CSP is problematic and I recommend it be moved to an attribute on the <html> element.  Further I recommend that injection of such an attribute be ignored so that only the static markup can have any effect.

Using a <meta> element opens a range of complex issues, such as synchronizing the start of a CSP with ongoing asynchronous page load actions and the retrospective application of restrictions to running JS contexts.  To make it reliable might require the introduction of a dependency notation and this may not be worth the effort.

The security work of PUA CG requires a static mechanism for specifying the CSP to avoid the initiation of the CSP being used to leak information and a <html> attribute will likely be used to avoid having to reading ahead for a CSP <meta> element.   This appears much easier to implement and would be a subset of the proposed CSP 1.1 <meta> element and perhaps it would be adequate and better suit browser vendors anyway.

cheers
Fred

From: bhill@paypal-inc.com
To: public-webappsec@w3.org
Date: Tue, 27 Nov 2012 22:01:20 +0000
Subject: [webappsec] Call for Consensus: CSP 1.1 to FPWD









This is a Call for Consensus among the WebAppSec WG to accept the following draft of CSP 1.1 as a First Public Working draft:
 
https://dvcs.w3.org/hg/content-security-policy/raw-file/48bed86c418d/csp-specification.dev.html

 
CSP 1.1 extends CSP 1.0 and defines several new elements of policy mechanism:

 
* an HTML <meta> Element
* Script Interfaces
* Directory path Source Expressions
* Media Type lists
 
As well as a number of new directives:
 
* form-action
* script-nonce
* plugin-types
* reflected-xss
 
Please send comments to 
public-webappsec@w3.org , positive feedback is encouraged.
 
This CfC will end on December 4, 2012.
 
Thank you,
 
Brad Hill
 
 		 	   		  
Received on Tuesday, 27 November 2012 23:46:21 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 13:26:31 UTC