Re: CSP advocacy group?? from Brandon Sterne on 2011-10-18 (public-web-security@w3.org from October 2011)

From: Brandon Sterne <bsterne@mozilla.com>
Date: Tue, 18 Oct 2011 10:10:29 -0700
To: "Michael A. Peters" <mpeters@domblogger.net>
CC: public-web-security@w3.org
Message-ID: <4E9DB305.6000505@mozilla.com>

Leaving aside the question about an advocacy group for CSP, I don't see
why the use case you listed can't be supported under CSP.  You can allow
the inline style block, with small risk to the application, by adding
"style-src 'unsafe-inline'" to the policy. Also, since the
no-inline-script restriction only applies to the top-level document, an
iframe that contains inline script can be enabled simply by adding the
iframe's hostname to the frame-src directive.

Cheers,
Brandon

On 10/14/2011 04:56 PM, Michael A. Peters wrote:
> I hope this isn't off topic.
> 
> I'm working on building a CMS from ground up, trying to implement sane
> security from the start in what I have identified as commonly exploited
> vulnerabilities in web apps that happened because of poor design (IE
> write perm to directory server servs, write perm to config file server
> executes rather than parses, yada yada list is a mile long)
> 
> Of course I am implementing CSP from the start, and it seems like a
> battle against widget providers.
> 
> Facebook share button. If they have a version that does not want to
> inject a style node a mile long along with an iframe that is full of
> inline script, I sure haven't found it. So I can't have a facebook share
> button available.
> 
> It seems they have to have an iframe because they insist on counting how
> many friends have shared it, which seems stupid to me, but it's what
> they do.
> 
> I've tried contacting FB about it and get no response, and my requests
> to join their developer group is never approved (or so I assume, never
> notified either way, they don't communicate well).
> 
> I think it would be beneficial if there was a public advocacy group that
> attempted to work with these companies to try and get them to produce
> CSP compatible widgets. Kind of like what Guy Kawasaki did for Apple.
> 
> Right now it seems I either lax up my desire for premium webapp security
> or don't have features people want (like a share button) that shouldn't
> be technically difficult to do securely, and that's kind of sad.

Received on Tuesday, 18 October 2011 17:09:33 UTC