- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 8 Dec 2011 18:16:10 -0800
- To: Brandon Sterne <bsterne@mozilla.com>
- Cc: public-webappsec@w3.org, Giorgio Maone <g.maone@informaction.com>
I've updated the spec reflect the "first-wins" behavior. Adam On Thu, Dec 8, 2011 at 1:57 PM, Brandon Sterne <bsterne@mozilla.com> wrote: > I'm also fine with making the change to Adam's "first-wins" proposal. > > -Brandon > > > ----- Original Message ----- > From: "Adam Barth" <w3c@adambarth.com> > To: "Giorgio Maone" <g.maone@informaction.com> > Cc: public-webappsec@w3.org > Sent: Thursday, December 8, 2011 1:16:03 PM > Subject: Re: ISSUE-4: Policy combination > > On Thu, Dec 8, 2011 at 12:55 PM, Giorgio Maone <g.maone@informaction.com> wrote: >> Eric Rescorla wrote, On 08/12/2011 21.32: >>> 1. In the header, a policy which specifies a policy-uri which takes 10 >>> seconds to load. 2. In the body, a meta tag with a complete policy Which >>> one of these did the agent "encounter first"? >> >> The former. And if it times out, enforce default-src 'none'. > > Correct. policy-uri needs to block processing of the page until the > policy can be fetched anyway. > > Adam > > >> Eric Rescorla wrote, On 08/12/2011 21.32: >>> Is this deterministic? Consider the case where a document has two >>> policies: >>> >>> 1. In the header, a policy which specifies a policy-uri which takes 10 >>> seconds to load. 2. In the body, a meta tag with a complete policy >>> >>> Which one of these did the agent "encounter first"? >>> >>> -Ekr >>> >>> >>> >>> >>> On Thu, Dec 8, 2011 at 12:10 PM, Giorgio Maone <g.maone@informaction.com> >>> wrote: >>>> +1 for A, first seen wins. >>>> >>>> -- G >>>> >>>> Adam Barth wrote, On 08/12/2011 20.35: >>>>> One of our open issues is about how to deal with multiple CSP >>>>> policies for a given resource. At TPAC, one resolution we discussed >>>>> was the following: >>>>> >>>>> 1) If a resource has multiple HTTP headers containing CSP policies, >>>>> enforce all of the policies. Because CSP policies only reduce >>>>> privileges (never grant privileges), that effectively means that an >>>>> action is allowed only if it is allowed by all the CSP policies. >>>>> >>>>> 2) If a resource has a CSP policy from an HTTP header, then we >>>>> ignore any CSP policies that might be contained in <meta> elements. >>>>> Otherwise, the user agent enforces all the CSP policies found in >>>>> <meta> elements. >>>>> >>>>> Another resolution (which I advocate) is the following: >>>>> >>>>> A) The first CSP policy the user agent encounters for a document >>>>> wins. >>>>> >>>>> IMHO, approach (A) is better than approach (1+2) for two reasons. >>>>> First, it's simpler. CSP is already more complex that it should be. >>>>> Adding more complexity is costly, both now in terms of >>>>> implementation and in the future in terms of constraints. >>>>> >>>>> Second, approach (1+2) constrains future evolution of CSP. For >>>>> example, suppose we wanted to include >>>>> http://wiki.whatwg.org/wiki/Meta_referrer as a CSP directive. How >>>>> would we define the combination of policies containing referrer >>>>> directives? We'd have to define some ordering like "never < origin >>>>> < always", but where does default fit in? >>>>> >>>>> These are, in some sense, the same concern. We can implement >>>>> combination today, but it imposes constrains on the future that we >>>>> might wish we didn't have later. >>>>> >>>>> Adam >>>>> >>>> >>>> >>> >> >> >
Received on Friday, 9 December 2011 02:17:08 UTC