Fwd: Call for Review of Content Security Policy 1.0 from Jonathan A Rees on 2012-09-05 (www-tag@w3.org from September 2012)

From: Jonathan A Rees <rees@mumble.net>
Date: Wed, 5 Sep 2012 09:09:04 -0400
To: www-tag@w3.org
Message-ID: <CAGnGFMLMoXOCMmnmCgWMPMq8NyBv7rYW8EY1_iPjmcgzpYb_2w@mail.gmail.com>

---------- Forwarded message ----------
From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, Sep 4, 2012 at 7:01 PM
Subject: Call for Review of Content Security Policy 1.0
To: "public-web-security@w3.org" <public-web-security@w3.org>

The Web Application Security Working Group at the W3C is planning to
advance Content Security Policy 1.0 to Candidate Recommendation – a
final set of features and syntax – and is seeking wide review of the
document at this time.  We would especially value the input of members
of the Public Web Security list.

http://www.w3.org/TR/2012/WD-CSP-20120710/

Content Security Policy is a mechanism web applications can use to
mitigate a broad class of content injection vulnerabilities, such as
cross-site scripting (XSS). Content Security Policy is a declarative
policy that lets the authors (or server administrators) of a web
application restrict from where the application can load resources.

To mitigate XSS, for example, a web application can restrict itself to
loading scripts only from known, trusted URIs, making it difficult for
an attacker who can inject content into the web application to inject
malicious script.

Content Security Policy (CSP) is not intended as a first line of
defense against content injection vulnerabilities. Instead, CSP is
best used as defense-in-depth, to reduce the harm caused by content
injection attacks.

There is often a non-trivial amount of work required to apply CSP to
an existing web application. To reap the greatest benefit, authors
will need to move all inline script and style out-of-line, for example
into external scripts, because the user agent cannot determine whether
an inline script was injected by an attacker.

To take advantage of CSP, a web application opts into using CSP by
supplying a Content-Security-Policy HTTP header Such policies apply
the current resource representation only. To supply a policy for an
entire site, the server needs to supply a policy with each resource
representation.

Please submit comments to public-webappsec@w3.org

Thank you,

Brad Hill

Co-Chair

W3C Web Application Security WG

Received on Wednesday, 5 September 2012 13:09:38 UTC