[CSP] ‘unsafe-hashed-attributes’, ‘unsafe-inline-attributes’ and CSP directive versioning from Andy Paicu on 2018-04-05 (public-webappsec@w3.org from April 2018)

From: Andy Paicu <andypaicu@chromium.org>
Date: Thu, 05 Apr 2018 12:50:27 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CALTCLq638QUuQ1yHHdoAVjeVhdRhOGuf7EtNW5cGsw+cHreq1w@mail.gmail.com>

Hello folks at webappsec,

The CSP 'unsafe-hashed-attributes' keyword proposal has traditionally had
quite a bit of controversy and discussion and I would like to try to
channel all of these discussions and opinions towards some end decision of
some sort.

'unsafe-inline-attribute' has also had some discussion and has recently
resurfaced in light of some CSS-based keylogger attacks. Seeing that it is
quite similar to 'unsafe-hashed-attributes' I think they're worth
discussing together.

CSP directive versioning follows logically from the two above so I have
also bundled it up in the explainer below:

https://docs.google.com/document/d/1_nYS4gWYO2Oh8rYDyPglXIKNsgCRVhmjHqWlTAHst7c/edit?usp=sharing

I would like to hear all of your thoughts and opinions on this as I believe
there is real benefit in adding these features.

Regads,
Andy Paicu

Received on Thursday, 5 April 2018 12:51:09 UTC