- From: Nick Gearls <nickgearls@gmail.com>
- Date: Wed, 27 Jul 2011 12:50:39 +0200
- To: public-web-security@w3.org
Hi Dan, As I said, you could let the choice the the site owner. You could have a syntax allowing to add/remove/reset directives. Ex: sript-src +partner.com -> allow on top of previous settings sript-src -partner.com -> keep previous settings but remove this site sript-src partner.com -> reset settings Btw, header injection is, I think, not very usual for most sites. And if you can do that, that probably means that you can do anything on that site, including modify or delete a header, no? Regards, Nick On 27/7/2011 1:56, Daniel Veditz wrote: > On 7/26/11 3:27 AM, Nick Gearls wrote: >> 1. Whatever you want, you may use only one header. >> Whether you want to restrict or to relax a rule in a sub-location, >> don't bother to try to add a header (or even a directive inside the >> header), it does not work. > > Web developers will certainly want a way to specify a default site > rule and then allow for spot relaxation/tightening, but > unfortunately that kind of thing will have to be built into site > frameworks. If we allow an additional header to relax a rule then > any header-injection flaw means an attacker can add "default-src *; > options inline-script;" thereby disabling any CSP protection. > > We also wanted to err on the side of being too strict. We can always > loosen the behavior in the future and keep today's strict policies > working. If we started out too loose and had to make things more > strict we'd end up breaking most of our early adopters. > > Thanks for your courage trying out CSP at such an early time and > your feedback is much appreciated! > > -Dan Veditz > > >
Received on Wednesday, 27 July 2011 10:49:55 UTC