Re: CSP declarations in html meta tags

Hey Mike,

Thanks for the links. Those threads are helpful. It sounds like the
community's convinced that whatever risk is introduced by allowing CSP in
meta tags is justified by the benefit. Much appreciated.


On Sun, Jul 13, 2014 at 12:08 AM, Mike West <mkwst@google.com> wrote:

>  There's been a good bit of discussion about this topic on the list.
> http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0202.html
> and http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0105.html
> are the most recent threads I know of.
>
> Do they more or less answer your questions about the use cases <meta>
> is intended to support?
>
> -mike
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
>
> On Sun, Jul 13, 2014 at 7:17 AM, Caleb Queern <cqueern@gmail.com> wrote:
> > Hey Mike thanks for the link.
> >
> > Here's what was on my mind. (It assumes that we agree having CSP in the
> > headers is better because it's less easily manipulated or hijacked by an
> > attacker. Not sure my argument is too sound but if nothing else perhaps
> > having a quick place in writing where this was discussed may aid curious
> > folks in the future.)
> >
> > Essentially if we allow CSP to be declared in meta tags, we're giving the
> > world two options. We're saying,
> >
> > "Hey world,
> >
> > 1. You can communicate CSP using HTTP Headers. This is the best way of
> doing
> > things but it's pretty hard for most people most of the time.
> >
> > 2. You can also communicate CSP directives using meta tags. This is not
> > really a good way of doing things but it's really easy for most people
> most
> > of the time."
> >
> > My concern / fear is that looking back we'll find that we'll regret
> making
> > it easy for most people to do things in a way we think is less secure,
> and
> > we'll have a lot of moments where we say  "duh, of course everybody
> messed
> > that up; maybe it was naive for us to think they'd take the extra steps
> to
> > do it the harder and better way".
> >
> > I understand that there are scenarios when folks can't modify headers and
> > offering CSP via meta tags would be their only option. I just wonder if
> the
> > risk introduced by allowing CSP in meta tags is really justified by the
> > perceived benefit.
> >
> > Perhaps this concern has already been addressed somewhere and I missed
> it,
> > but since you said now's the right time to have opinions about it...
> >
> >
> >
> >
> > On Fri, Jul 11, 2014 at 7:52 AM, Mike West <mkwst@google.com> wrote:
> >>
> >> http://www.w3.org/TR/CSP2/#delivery-html-meta-element is what made it
> >> to the Last Call draft. Now's the right time to have opinions about
> >> it, either way. :)
> >>
> >> -mike
> >> --
> >> Mike West <mkwst@google.com>
> >> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> >>
> >> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> >> Registergericht und -nummer: Hamburg, HRB 86891
> >> Sitz der Gesellschaft: Hamburg
> >> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> >> (Sorry; I'm legally required to add this exciting detail to emails.
> Bleh.)
> >>
> >>
> >> On Fri, Jul 11, 2014 at 2:10 AM, Caleb Queern <cqueern@gmail.com>
> wrote:
> >> > Hey gang,
> >> >
> >> > Been lurking a while... first time posting to the distro.
> >> >
> >> > I wanted to see where things lie with the proposal to allow CSP
> >> > declarations
> >> > via meta tags. Has that gotten the green light, or is that still under
> >> > debate?
> >> >
> >> > Caleb
> >
> >
> >
> >
> > --
> > Caleb
> > 571-228-8011
>



-- 
Caleb
571-228-8011