RE: CSP in meta header unsupported? Link to discussion?

John,

Since CSP has been adopted by the Web Application Security WG in the W3C, discussion on it has mostly moved over to that group's list: public-webappsec@w3.org (copied on this email)

It so happens we just discussed this issue recently:

http://lists.w3.org/Archives/Public/public-webappsec/2012Mar/0050.html
http://lists.w3.org/Archives/Public/public-webappsec/2012Apr/0000.html

and agreed on our last conference call to remove the feature from 1.0.  I'll post the minutes of that call shortly, but my recollection is that Mozilla was concerned that the META tag, in combination with first-policy-wins semantics, gave an opportunity to potentially disable CSP with a content-injection that occurred ahead of the tag.

Since Mozilla didn't have and didn't intend to implement META support, and the WG's charter requires two implementations to advance a proposed draft to Recommendation status, we decided to strike the feature.

I'd encourage you to read the archived discussions above and raise your concerns again on the public-webappsec list if you feel they weren't addressed. The WG is also having a face-to-face meeting next week where we'll be discussing final changes to 1.0 and begin discussion of features for version 1.1.  The META tag and/or a DOM API to trigger CSP functionality are on our agenda as potential 1.1 features. 

Thanks,

Brad Hill
WebAppSec WG Co-Chair 


From: John Wilander [mailto:john.wilander@owasp.org] 
Sent: Thursday, April 26, 2012 2:52 AM
To: public-web-security@w3.org
Subject: CSP in meta header unsupported? Link to discussion?

I cannot find any reference to support or non-support for CSP via meta http-equiv tags in the current draft https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html

Also, a search through my email doesn't reveal any obvious discussion on taking meta header support out. On the contrary, I found several references to meta header support from 2011. Is there a discussion I've missed?

If meta header support was dropped, have we considered all the frontend-only apps being built out there? I have several projects of my own that doesn't have a server-side and with regular hosting providers you don't get to simply add response headers to the web server.

I would also argue that adoption is far simpler if you can just add a meta header in the index.html of your single-page app than start configuring the web server locally, in the test environment and in production with potential changes in outgoing filters etc. Even scoping is much simpler with a meta header in a static file instead of configuring response headers per context root.

Thoughts?

   Regards, John

-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
My music http://www.johnwilander.com & my résumé http://johnwilander.se

Received on Thursday, 26 April 2012 15:46:20 UTC