- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Thu, 8 Dec 2011 13:57:38 -0800 (PST)
- To: Adam Barth <w3c@adambarth.com>
- Cc: public-webappsec@w3.org, Giorgio Maone <g.maone@informaction.com>
I'm also fine with making the change to Adam's "first-wins" proposal. -Brandon ----- Original Message ----- From: "Adam Barth" <w3c@adambarth.com> To: "Giorgio Maone" <g.maone@informaction.com> Cc: public-webappsec@w3.org Sent: Thursday, December 8, 2011 1:16:03 PM Subject: Re: ISSUE-4: Policy combination On Thu, Dec 8, 2011 at 12:55 PM, Giorgio Maone <g.maone@informaction.com> wrote: > Eric Rescorla wrote, On 08/12/2011 21.32: >> 1. In the header, a policy which specifies a policy-uri which takes 10 >> seconds to load. 2. In the body, a meta tag with a complete policy Which >> one of these did the agent "encounter first"? > > The former. And if it times out, enforce default-src 'none'. Correct. policy-uri needs to block processing of the page until the policy can be fetched anyway. Adam > Eric Rescorla wrote, On 08/12/2011 21.32: >> Is this deterministic? Consider the case where a document has two >> policies: >> >> 1. In the header, a policy which specifies a policy-uri which takes 10 >> seconds to load. 2. In the body, a meta tag with a complete policy >> >> Which one of these did the agent "encounter first"? >> >> -Ekr >> >> >> >> >> On Thu, Dec 8, 2011 at 12:10 PM, Giorgio Maone <g.maone@informaction.com> >> wrote: >>> +1 for A, first seen wins. >>> >>> -- G >>> >>> Adam Barth wrote, On 08/12/2011 20.35: >>>> One of our open issues is about how to deal with multiple CSP >>>> policies for a given resource. At TPAC, one resolution we discussed >>>> was the following: >>>> >>>> 1) If a resource has multiple HTTP headers containing CSP policies, >>>> enforce all of the policies. Because CSP policies only reduce >>>> privileges (never grant privileges), that effectively means that an >>>> action is allowed only if it is allowed by all the CSP policies. >>>> >>>> 2) If a resource has a CSP policy from an HTTP header, then we >>>> ignore any CSP policies that might be contained in <meta> elements. >>>> Otherwise, the user agent enforces all the CSP policies found in >>>> <meta> elements. >>>> >>>> Another resolution (which I advocate) is the following: >>>> >>>> A) The first CSP policy the user agent encounters for a document >>>> wins. >>>> >>>> IMHO, approach (A) is better than approach (1+2) for two reasons. >>>> First, it's simpler. CSP is already more complex that it should be. >>>> Adding more complexity is costly, both now in terms of >>>> implementation and in the future in terms of constraints. >>>> >>>> Second, approach (1+2) constrains future evolution of CSP. For >>>> example, suppose we wanted to include >>>> http://wiki.whatwg.org/wiki/Meta_referrer as a CSP directive. How >>>> would we define the combination of policies containing referrer >>>> directives? We'd have to define some ordering like "never < origin >>>> < always", but where does default fit in? >>>> >>>> These are, in some sense, the same concern. We can implement >>>> combination today, but it imposes constrains on the future that we >>>> might wish we didn't have later. >>>> >>>> Adam >>>> >>> >>> >> > >
Received on Thursday, 8 December 2011 21:58:07 UTC