Re: CSP policy file from Jonathan Kingston on 2015-04-30 (public-webappsec@w3.org from April 2015)

From: Jonathan Kingston <jonathan@jooped.com>
Date: Thu, 30 Apr 2015 00:07:33 +0000
To: Jonathan Kingston <jonathan@jooped.co.uk>, public-webappsec@w3.org
Message-ID: <CAKrjaaU=Z5ToADMRQA9fcd_SCVy8qVzMb_99J8S+fG0aHki85w@mail.gmail.com>

I also think adding these properties could go into the manifest file, this
would gain parity with the newly created specification EPR:
https://w3c.github.io/webappsec/specs/epr/

Along with talks about navigation directives I really think a manifest file
based CSP would be beneficial to most applications.


On Sun, Mar 22, 2015 at 4:53 PM Jonathan Kingston <jonathan@jooped.co.uk>
wrote:

> It may now make sense to discuss again about having an external policy
> file.
>
> So instead of the following headers:
>
> Content-Security-Policy-Pin: max-age: 10886400;
>                              includeSubDomains;
>                              default-src https:;
>                              form-action 'none';
>                              frame-ancestors 'none';
>                              referrer no-referrer;
>                              report-uri /csp-endpoint/pinned
> Content-Security-Policy: script-src https://application1.cdn.com;
>                          style-src https://application1.cdn.com;
>                          connect-src 'self';
>                          form-action 'self'
>
> There could be:
>
> Content-Security-Policy-file: policy: '/policy.csp';
>                               identity:
> 'ni:///sha-256;asijfiqu4t12...woeji3W?ct=application/csp'
>
>
> And in '/policy.csp':
> Content-Security-Policy-Pin: max-age: 10886400;
>                              includeSubDomains;
>                              default-src https:;
>                              form-action 'none';
>                              frame-ancestors 'none';
>                              referrer no-referrer;
>                              report-uri /csp-endpoint/pinned
> Content-Security-Policy: script-src https://application1.cdn.com;
>                          style-src https://application1.cdn.com;
>                          connect-src 'self';
>                          form-action 'self'
>
> Where the first request to a site would need to do a synchronous request
> to the policy file before loading other content (or potentially allow other
> requests to be made but not parsed or executed until the CSP is loaded).
>
> Due to most policies being the same for the whole domain and policies are
> getting more features the file might allow for far more granular directives.
>
> The integrity would ensure that the CSP would only be trusted over a
> previous set of rules so long as the policy file matches the integrity. If
> the policy failed to match I would suggest using the previous set of rules.
>

Received on Thursday, 30 April 2015 00:08:02 UTC