Re: Proposal: CSP "allow-modification" directive from Adam Barth on 2011-12-08 (public-webappsec@w3.org from December 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 8 Dec 2011 15:39:49 -0800
To: Collin Jackson <collin.jackson@sv.cmu.edu>
Cc: public-webappsec@w3.org, Eric Chen <eric.chen@sv.cmu.edu>, Rami Shomali <rami.shomali@sv.cmu.edu>, Chinmay Garde <chinmay.garde@sv.cmu.edu>, Yolando Pereira <yolando.pereira@sv.cmu.edu>
Message-ID: <CAJE5ia9qQTECtfb7Ua5dVbmfYVnEwFdyJwP6d+Lbb5L1nVvd7w@mail.gmail.com>

I agree that there's a use case for including third-party widgets in
your page without you having to know all the resources that they might
include.  It's slightly unclear to me what the best delegation
mechanism might be.  For example, you might want to set a bound like
"my advertising provider can whitelist hosts for scripting, as long as
they always use HTTPS."

In any case, I think this is a use case we should think about for CSP
1.1.  I'll add your proposal to the wiki shortly.

Adam


On Thu, Dec 8, 2011 at 12:06 PM, Collin Jackson
<collin.jackson@sv.cmu.edu> wrote:
> One problem I see with CSP is that it encourages a one-size-fits-all policy
> for an entire site, whereas in reality each page might want different
> policies, and a single page might want different policies at different
> times. I would like to propose a CSP "allow-modification" directive that
> exposes a JavaScript API for adding new CSP directives to the current page.
> I envision this would mostly be used by third-party script providers. For
> example:
>
> - Sites can delegate their CSP policy to third-party security companies on a
> page-by-page basis. Right now, you can do this on a page-by-page basis with
> policy-uri, but it has poor cache performance.
> - Third-party ad networks (e.g. DoubleClick) could choose ad servers
> dynamically to serve ad content.
> - Third-party analytics providers could add and remove report-URIs without
> having to get the web site change its server configuration.
> - Better support for CSP in single-page web applications where more sources
> of content are added over lifetime of a single page (e.g. a streaming news
> feed that contains third-party images)
>
> I don't see a security risk to setting the "allow-modification" directive
> (if the attacker could run JavaScript on your site to add a new CSP
> directive, they could already steal your cookies and other private data) but
> it's probably a good idea to make it opt-in just in case.
>
> Collin

Received on Thursday, 8 December 2011 23:40:48 UTC