Re: ISSUE-4: Policy combination from Adam Barth on 2011-12-09 (public-webappsec@w3.org from December 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 8 Dec 2011 18:16:10 -0800
To: Brandon Sterne <bsterne@mozilla.com>
Cc: public-webappsec@w3.org, Giorgio Maone <g.maone@informaction.com>
Message-ID: <CAJE5ia_kmZgtBHWTd5LUw=ybjYWuToHRa6t1G2-eBk3+QYe6Rw@mail.gmail.com>

I've updated the spec reflect the "first-wins" behavior.

Adam


On Thu, Dec 8, 2011 at 1:57 PM, Brandon Sterne <bsterne@mozilla.com> wrote:
> I'm also fine with making the change to Adam's "first-wins" proposal.
>
> -Brandon
>
>
> ----- Original Message -----
> From: "Adam Barth" <w3c@adambarth.com>
> To: "Giorgio Maone" <g.maone@informaction.com>
> Cc: public-webappsec@w3.org
> Sent: Thursday, December 8, 2011 1:16:03 PM
> Subject: Re: ISSUE-4: Policy combination
>
> On Thu, Dec 8, 2011 at 12:55 PM, Giorgio Maone <g.maone@informaction.com> wrote:
>> Eric Rescorla wrote, On 08/12/2011 21.32:
>>> 1. In the header, a policy which specifies a policy-uri which takes 10
>>> seconds to load. 2. In the body, a meta tag with a complete policy Which
>>> one of these did the agent "encounter first"?
>>
>> The former. And if it times out, enforce default-src 'none'.
>
> Correct.  policy-uri needs to block processing of the page until the
> policy can be fetched anyway.
>
> Adam
>
>
>> Eric Rescorla wrote, On 08/12/2011 21.32:
>>> Is this deterministic? Consider the case where a document has two
>>> policies:
>>>
>>> 1. In the header, a policy which specifies a policy-uri which takes 10
>>> seconds to load. 2. In the body, a meta tag with a complete policy
>>>
>>> Which one of these did the agent "encounter first"?
>>>
>>> -Ekr
>>>
>>>
>>>
>>>
>>> On Thu, Dec 8, 2011 at 12:10 PM, Giorgio Maone <g.maone@informaction.com>
>>> wrote:
>>>> +1 for A, first seen wins.
>>>>
>>>> -- G
>>>>
>>>> Adam Barth wrote, On 08/12/2011 20.35:
>>>>> One of our open issues is about how to deal with multiple CSP
>>>>> policies for a given resource.  At TPAC, one resolution we discussed
>>>>> was the following:
>>>>>
>>>>> 1) If a resource has multiple HTTP headers containing CSP policies,
>>>>> enforce all of the policies.  Because CSP policies only reduce
>>>>> privileges (never grant privileges), that effectively means that an
>>>>> action is allowed only if it is allowed by all the CSP policies.
>>>>>
>>>>> 2) If a resource has a CSP policy from an HTTP header, then we
>>>>> ignore any CSP policies that might be contained in <meta> elements.
>>>>> Otherwise, the user agent enforces all the CSP policies found in
>>>>> <meta> elements.
>>>>>
>>>>> Another resolution (which I advocate) is the following:
>>>>>
>>>>> A) The first CSP policy the user agent encounters for a document
>>>>> wins.
>>>>>
>>>>> IMHO, approach (A) is better than approach (1+2) for two reasons.
>>>>> First, it's simpler.  CSP is already more complex that it should be.
>>>>> Adding more complexity is costly, both now in terms of
>>>>> implementation and in the future in terms of constraints.
>>>>>
>>>>> Second, approach (1+2) constrains future evolution of CSP.  For
>>>>> example, suppose we wanted to include
>>>>> http://wiki.whatwg.org/wiki/Meta_referrer as a CSP directive.  How
>>>>> would we define the combination of policies containing referrer
>>>>> directives?  We'd have to define some ordering like "never < origin
>>>>> < always", but where does default fit in?
>>>>>
>>>>> These are, in some sense, the same concern.  We can implement
>>>>> combination today, but it imposes constrains on the future that we
>>>>> might wish we didn't have later.
>>>>>
>>>>> Adam
>>>>>
>>>>
>>>>
>>>
>>
>>
>

Received on Friday, 9 December 2011 02:17:08 UTC