Re: CSP Sandbox directive and meta tag - CSP 1.1 from Devdatta Akhawe on 2012-09-19 (public-webappsec@w3.org from September 2012)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 18 Sep 2012 18:08:51 -0700
To: Jacob Rossi <Jacob.Rossi@microsoft.com>
Cc: Tanvi Vyas <tanvi@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPfop_3YPN3RiMH-dd0+rV_vna+w0yUbm3YhF8GvxL2vQz1rHQ@mail.gmail.com>

I think meta tag should have sandbox support. First, I dislike "some
options only work in header". Further, WebKit (correct me here)
already supports meta tag sandbox. And Jacob's mail shows that
Microsoft might also be able to support sandbox in meta tag. And in
terms of security, it makes sense to have a document specify "ok I am
done with my privileged stuff , please drop my privileges now"

> 1. The spec describes that HTTP headers trump meta tags, the first meta tag wins over subsequent ones, and that meta elements inserted after loading are ignored. But what about dynamic manipulation of a currently enforced policy from a meta element? In other words, can I alter the content attribute of the meta tag after loading the document?  I think the answer should be no, but that should probably be specified.
>

+1

> 2. I assume that, prior to parsing the meta element, scripts can execute as though there is no policy. So:
>
> <script> alert('You see this alert');</script>
> <meta http-equiv="content-security-policy" content="script-src: 'none'">
> <script> alert('You will not see this alert');</script>
>
> But what if this was a plugin?  Does the first plugin get unloaded by the User Agent or does the later loaded policy not apply to it?
>

I think not applying to it makes sense.



thanks
Dev

> Thanks!
>
> -Jacob
>
> -----Original Message-----
> From: Tanvi Vyas [mailto:tanvi@mozilla.com]
> Sent: Tuesday, September 18, 2012 3:17 PM
> To: public-webappsec@w3.org
> Subject: CSP Sandbox directive and meta tag - CSP 1.1
>
> A couple months ago during our biweekly call we discussed how a csp sandbox directive would be handled when the content security policy is specified in a meta tag.  We proposed ignoring the csp sandbox directive if set in a meta policy.  This is because the sandbox flag needs to be set on navigation, and the <meta> tag with the policy isn't specified until after navigation and after a principal for the document has already been set.  Switching to the null principal after we discover the sandbox directive makes following the same origin policy tricky since we'd already be halfway through parsing the document.
>
> Bringing this up on the mailing list for further discussion. Thanks!
>
> ~Tanvi
>
>
>
>
>
>

Received on Wednesday, 19 September 2012 01:09:38 UTC