- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 27 Jan 2011 14:06:09 -0800
- To: Michal Zalewski <lcamtuf@coredump.cx>
- Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On Thu, Jan 27, 2011 at 1:55 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote: >> 1) My site is entirely served over HTTPS, but my developers keep >> including mixed content by mistake. I wish I could set a policy for >> my site that prevented me accidentally loading insecure content. > > I think it's more complicated than that; it may be unacceptable to > include content simply from domains you don't control, or have no > assurances about: if you are a bank, you do not want any image or > stylesheet on your website to be replaced by "h4x0red by p1gZ" due to > a developer mistake. > > I am not sure it's a problem that should be fixed on browser level; > but in terms of complexity, browser is definitely one of the most > attractive and reliable points (compared to, for example, server-side > auditing). And if there is a consensus that it's worth doing (?), then > doing it as a part of CSP probably makes more sense than devising a > separate mechanism. To re-state your use case: 2) My site has a policy that we can only include content from certain trusted providers (e.g., our CDN, Amazon S3), but my developers keep adding dependencies on sites I don't trust. I wish I could set a policy for my site that prevented me from accidentally loading resources outside my whitelist. BTW, I've stated a wiki page to record these use cases: http://www.w3.org/Security/wiki/Use_Cases_for_Content_Security_Policies Please feel free to add more and/or make that page more beautiful. Adam
Received on Thursday, 27 January 2011 22:07:14 UTC