Restricting APIs in CSP from Eric Rescorla on 2012-11-02 (public-webappsec@w3.org from November 2012)

From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 2 Nov 2012 13:48:26 +0100
To: public-webappsec <public-webappsec@w3.org>
Message-ID: <CABcZeBPHwaZuVED00GpXYAW1X40yVtR_nhaRBzZurPgjSyE9-g@mail.gmail.com>

I've been starting to wonder if it's worth having a mechanism to restrict
access to APIs in CSP.  A good example here is getUserMedia(),
which allows access to the camera and microphone. It's going to
be possible to set a persistent permission allowing an origin to
access these devices, but you could imagine that a site might
want to restrict that permission to specific pages. This could
obviously be done with domain sharding, but that's gross...

So, you could imagine a CSP directive like:

forbid-function getUserMedia

That would restrict access to getUserMedia.

Other candidates here might be the webcrypto APIs to the extent to
which they allow access to persistent origin-bound keys.


1. Does this sound like a plausible goal to people?
2. Any suggestions about the syntax?

-Ekr

Received on Friday, 2 November 2012 12:49:35 UTC