Re: [w3c/webcomponents] HTML, CSS, and JSON modules shouldn't solely rely on MIME type to change parsing behavior (#839)

> Given that many websites don't use CSP correctly, relying on websites to correctly deploy CSP to get the right security behavior is not a great plan.

This doesn't seem like a strong argument against CSP, this could easily be resolved by strengthening the CSP defaults and perhaps even disallowing type change in some way.

For example it could be required that all JSON modules were rejected by default unless some policy enables them (e.g. like the strawman one above).

e.g. Take this policy for example:

`Content-Security-Policy: content-type https://foo.bar/*.json text/json`

There's no way for `foo.bar` to upgrade anything of the form `*.json` to a script. The only way to allow it would be to change the policy to `text/javascript`, this seems as adequately secure as the `with json` approach.

Note that in such policies the type could not be wild-carded (e.g. `https://foo.bar/*.json *` would not be allowed, the allowed types would have to be enumerated).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/839#issuecomment-554863816

Received on Monday, 18 November 2019 05:53:48 UTC