Re: Trimming the SecurityPolicy DOM interface from Eduardo' Vela on 2013-04-27 (www-tag@w3.org from April 2013)

From: Eduardo' Vela <evn@google.com>
Date: Sun, 28 Apr 2013 06:24:18 +0800
To: Adam Barth <w3c@adambarth.com>
Cc: Alex Russell <slightlyoff@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, "www-tag@w3.org List" <www-tag@w3.org>
Message-ID: <CAFswPa9iOB6EB94fmL3EZsNzdfMGHch6PQLc1dZ2zmPiEDO6Wg@mail.gmail.com>

I have a use case!

For example, Analytics, google.com/jsapi, and Ads as well as similar
scripts need to be able to load other scripts, and unless the parent page
is using script-nonce (and a forgiving img-src/frame-src), it's impossible
to do so.

One could argue that script-nonce is the right way of doing this, but it's
impossible for service providers such as Google to enforce all sites on the
interwebs that wanna use CSP to use script-nonces as they can't be used on
dynamic pages.

What would be nice would be to have an API where you set a starting CSP and
somehow allow scripts to modify it, by either extending it, or subsetting
it.

For example, script-extend https://www.google.com/jsapi could allow the
script loaded from that source to extend the CSP policy.

Received on Saturday, 27 April 2013 22:25:05 UTC