[Content Security Policy] A more modular approach from Brandon Sterne on 2011-01-31 (public-web-security@w3.org from January 2011)

From: Brandon Sterne <bsterne@mozilla.com>
Date: Mon, 31 Jan 2011 14:59:28 -0800
To: public-web-security@w3.org
Message-ID: <4D473ED0.4000204@mozilla.com>

Hello everyone,

We've heard a number of great ideas brought to the table this week and
last and I'd like to make an attempt to incorporate those ideas in a way
that hopefully satisfies everyone (a lofty goal!).

One goal of the following is to decouple the model so that browsers can
implement only the sections that they feel are valuable at this time
[1].  Another goal is to reduce some of the confusion around directive
names and interaction.

Proposal:

1. Rename allow to default-src.

2. TBD: does default-src mean:
   a. a specific list of content restrictions, e.g. images,
      stylesheets, fonts, (potentially modified in future versions of
      CSP), all of which a browser must implement in order to be said
      to support default-src
   b. shorthand for all the content loading directives that a given
      browser does support, even if it means that the list differs
      across browsers

3. default-src is no longer required
   a. browsers are free to implement only the directives they feel are
      valuable
   b. sites that want protection in browsers that don't support
      default-src will need to enumerate the directives that are
      supported there

4. rename |options inline| to |options permit-xss| or something equally
   scary

5. TBD: given #3, we need a way to allow browsers not implementing
   default-src to mitigate XSS via plugins.  Here are a couple of
   alternatives we could pursue (not an exhaustive list):
   a. remove script-src and add code-src directive to encompass script
      loading plus plugin loading
   b. leave script-src and object-src as they are and expect browsers
      to implement both and sites to specify both in their policy
   c. leave script-src and object-src and add new code-src directive
      that encompasses both

I think the approach of having people respond to sections of the
proposal individually worked well before, so I would ask that we repeat
that process again here.  I look forward to your responses.

Best,
Brandon

[1] My personal hope is that all browsers will eventually implement an
    identical set of restrictions so that websites may have a clear
    set of expectations for browser behavior given a particular
    policy.  In the interest of creating version 1 of the standard, I
    think the decoupling will allow us to move forward faster.

Received on Monday, 31 January 2011 23:00:32 UTC