W3C home > Mailing lists > Public > public-web-security@w3.org > April 2011

CSP and default policies

From: Brandon Sterne <bsterne@mozilla.com>
Date: Fri, 01 Apr 2011 14:24:29 -0700
Message-ID: <4D96428D.10306@mozilla.com>
To: public-web-security@w3.org
Hello public-web-security,

There is still an open question as to the set of restrictions that
should be enabled by default in CSP.  Jeff H. pointed it out and linked
to some relevant posts here:

Collin made a good point in saying "it should be possible to send a
frame-ancestors directive without implicitly also changing how
javascript URLs work."

The "empty policy" that was being discussed in that context is not
actually the tricky case.  Enough of us are content to make the empty
policy a no-op as to sidestep this particular issue.  Take the case,
though, of a policy with no known directives.  What restrictions should
be enabled there?  So, the question is not "what should we do with an
empty policy?", but "when do the default restrictions kick in?" Without
them there is no XSS protection, after all.

Answers to this question include:
1. when any directive is specified
2. when script-src or object-src is specified

1 and 2 can be thought of fundamentally as a "whitelist" and a
"blacklist", respectively, from the perspective of XSS mitigation.
There are various advantages and drawbacks to each approach which I've
tried to catalog below.  This group needs to decide now which
fundamental approach is used in Content Security Policy.

1. Whitelist model
   Defined: Default restrictions are enabled when any directive is
     specified. Nothing is allowed unless explicitly allowed in the

   - never be surprised by a feature being added to browsers that your
     policy doesn't restrict
   - enables an "optimal policy" development strategy by starting
     with an empty policy and adding incrementally until site "works"
   - more secure "average policy" since XSS protections will be
     enabled more frequently

   - be surprised by a change to the semantics of an existing
   - be surprised by a change to default restrictions
   - coupling between base restrictions and potentially unrelated

2. Blacklist model
   Defined: Base restrictions only apply when a script-y directive is
     specified. Other restrictions are only applied when additional
     directives are specified.

   - never surprised by change to default restrictions (there are

   - be surprised by a change to the semantics of an existing
   - be surprised by a new feature added to browsers that your policy
     doesn't restrict
   - less secure "average policy" since copy/pasting another site's
     CSP is more likely to permit your site to "work"

Both cases involve potential "surprises" to web sites when changes are
made to CSP.  It is for this reason that it may be advisable to
introduce a "compatibility level" directive into the grammar that
communicates to the user agent the set of directives the server is aware
of and beyond which the user agent will not enforce.  This may,
unfortunately, evoke bad memories of a "versioning" debate we had early
on via mozilla.dev.security but it's a topic that seems unavoidable in
some ways.

If you do not agree that the topic of version compatibility is
unavoidable, consider the two following cases which should ideally both
be supported:
A. a web site presently enumerates the full set of capabilities that
   it needs in order to function and wishes to express a policy that
   restricts all capabilites beyond this set
B. a web site presently knows that it wants to express a policy
   prohibiting a risky set of capabilities, but does not want to
   introduce breakage at any point in the future if changes are made
   to CSP

I argue that both cases cannot be supported under either 1 or 2 above
without some compatibility level expressed in the policy.  I certainly
welcome any debate on that point and look forward to your responses.

Received on Friday, 1 April 2011 21:25:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:26 UTC