W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

RE: [webappsec] Call for Consensus: CSP 1.1 to FPWD

From: Jacob Rossi <Jacob.Rossi@microsoft.com>
Date: Wed, 28 Nov 2012 00:16:30 +0000
To: Adam Barth <w3c@adambarth.com>, Fred Andrews <fredandw@live.com>
CC: "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D0BC8E77E79D9846B61A2432D1BA4EAE1386E5E7@TK5EX14MBXC287.redmond.corp.microsoft.com>
I agree with this feedback. An HTML element attribute would solve a few of the problems we've noted about <meta>.  I do not think this needs to block FPWD as it doesn't affect the feature scope of the spec (which is the primary thing I look for when deciding to publish a FPWD).

I support a publication of CSP 1.1 as FPWD.

-----Original Message-----
From: Adam Barth [mailto:w3c@adambarth.com] 
Sent: Wednesday, November 28, 2012 10:01 AM
To: Fred Andrews
Cc: Hill, Brad; public-webappsec@w3.org
Subject: Re: [webappsec] Call for Consensus: CSP 1.1 to FPWD

On Tue, Nov 27, 2012 at 3:45 PM, Fred Andrews <fredandw@live.com> wrote:
> Dear Brad,
>
> Using a <meta> element for the CSP is problematic and I recommend it 
> be moved to an attribute on the <html> element.  Further I recommend 
> that injection of such an attribute be ignored so that only the static 
> markup can have any effect.
>
> Using a <meta> element opens a range of complex issues, such as 
> synchronizing the start of a CSP with ongoing asynchronous page load 
> actions and the retrospective application of restrictions to running JS contexts.
> To make it reliable might require the introduction of a dependency 
> notation and this may not be worth the effort.

This is good feedback for the working group for after we've published a FPWD.  Perhaps we should raise an ISSUE so that we're sure to address your concerns before moving to the next stage of the W3C process.

Adam


> The security work of PUA CG requires a static mechanism for specifying 
> the CSP to avoid the initiation of the CSP being used to leak 
> information and a <html> attribute will likely be used to avoid having to reading ahead for a
> CSP <meta> element.   This appears much easier to implement and would be a
> subset of the proposed CSP 1.1 <meta> element and perhaps it would be 
> adequate and better suit browser vendors anyway.
>
> cheers
> Fred
>
> ________________________________
> From: bhill@paypal-inc.com
> To: public-webappsec@w3.org
> Date: Tue, 27 Nov 2012 22:01:20 +0000
> Subject: [webappsec] Call for Consensus: CSP 1.1 to FPWD
>
>
> This is a Call for Consensus among the WebAppSec WG to accept the 
> following draft of CSP 1.1 as a First Public Working draft:
>
>
>
> https://dvcs.w3.org/hg/content-security-policy/raw-file/48bed86c418d/c
> sp-specification.dev.html
>
>
>
> CSP 1.1 extends CSP 1.0 and defines several new elements of policy
> mechanism:
>
>
>
> * an HTML <meta> Element
>
> * Script Interfaces
>
> * Directory path Source Expressions
>
> * Media Type lists
>
>
>
> As well as a number of new directives:
>
>
>
> * form-action
>
> * script-nonce
>
> * plugin-types
>
> * reflected-xss
>
>
>
> Please send comments to public-webappsec@w3.org , positive feedback is 
> encouraged.
>
>
>
> This CfC will end on December 4, 2012.
>
>
>
> Thank you,
>
>
>
> Brad Hill
>
>
Received on Wednesday, 28 November 2012 00:18:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 28 November 2012 00:18:51 GMT