Re: [Content Security Policy] Proposal to move the debate forward from Brandon Sterne on 2011-01-28 (public-web-security@w3.org from January 2011)

From: Brandon Sterne <bsterne@mozilla.com>
Date: Fri, 28 Jan 2011 10:54:03 -0800
To: gaz Heyes <gazheyes@gmail.com>
CC: public-web-security@w3.org
Message-ID: <4D4310CB.5000709@mozilla.com>

On 1/28/11 2:19 AM, gaz Heyes wrote:
> On 27 January 2011 16:54, Brandon Sterne wrote:
> 
>     6. Policy delivery
>       a. HTTP header
>       b. <meta> (or <link>) tag, to be superseded by header if present
>       c. policy-uri: a URI from which the policy will be fetched; can be
>          specified in either header or tag
> 
> a) Policy shouldn't be defined in a http header it's too messy and what
> happens when there's a mistake?

Care to elaborate on this some more?  What do you mean by "too messy"
and in what ways could a "mistake" be made with a policy header that
couldn't be equivalently made using the other methods?

> b) As discussed on the list there is no need to have a separate method
> as it can be generated by an attacker. If a policy doesn't exist then an
> attacker can now DOS the web site via meta.

That's true, I suppose.  But if an attacker can inject a full <meta> tag
with malicious CSP into the <head> of a webpage, couldn't they likely
inject a <script> tag or other arbitrary HTML?  Strictly speaking,
though, if our assumption is that an attacker could inject their own
<meta>, but not anything else, into a site then yes, this feature could
potentially make that site worse off.

> c) We have a winner, a http header specifying a link to the policy file
> is the way to go IMO, my only problem with it is devs implementing it.
> Yes facebook would and probably twitter would but Dave's tea shop
> wouldn't pay enough money to hire a web dev who knew how to implement a
> custom http header yet they would know how to validate HTML. So the
> question is are we bothered about little sites that are likely to have
> nice tea and XSS holes? If so I suggest updating the HTML W3C validator
> to require a security policy to pass validation if not I suggest a
> policy file delivered by http header.

I don't really follow the logic of this section (aren't HTTP headers
"messy"?), but I do think that a success criteria for the model should
be that it is simple enough to be implemented by large and small sites
alike.

Cheers,
Brandon

Received on Friday, 28 January 2011 18:54:37 UTC