- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 9 Dec 2011 19:45:34 +0100
- To: Adam Barth <w3c@adambarth.com>
- Cc: Thomas Roessler <tlr@w3.org>, Collin Jackson <collin.jackson@sv.cmu.edu>, public-webappsec@w3.org, Eric Chen <eric.chen@sv.cmu.edu>, Rami Shomali <rami.shomali@sv.cmu.edu>, Chinmay Garde <chinmay.garde@sv.cmu.edu>, Yolando Pereira <yolando.pereira@sv.cmu.edu>
I wonder whether this use case can wait till a version 1.1. Think "ad" instead of "widget". I think that it's pretty important that CSP is compatible with running ads on the pages it's used to protect. -- Thomas Roessler, W3C <tlr@w3.org> (@roessler) On 2011-12-09, at 00:39 +0100, Adam Barth wrote: > I agree that there's a use case for including third-party widgets in > your page without you having to know all the resources that they might > include. It's slightly unclear to me what the best delegation > mechanism might be. For example, you might want to set a bound like > "my advertising provider can whitelist hosts for scripting, as long as > they always use HTTPS." > > In any case, I think this is a use case we should think about for CSP > 1.1. I'll add your proposal to the wiki shortly. > > Adam > > > On Thu, Dec 8, 2011 at 12:06 PM, Collin Jackson > <collin.jackson@sv.cmu.edu> wrote: >> One problem I see with CSP is that it encourages a one-size-fits-all policy >> for an entire site, whereas in reality each page might want different >> policies, and a single page might want different policies at different >> times. I would like to propose a CSP "allow-modification" directive that >> exposes a JavaScript API for adding new CSP directives to the current page. >> I envision this would mostly be used by third-party script providers. For >> example: >> >> - Sites can delegate their CSP policy to third-party security companies on a >> page-by-page basis. Right now, you can do this on a page-by-page basis with >> policy-uri, but it has poor cache performance. >> - Third-party ad networks (e.g. DoubleClick) could choose ad servers >> dynamically to serve ad content. >> - Third-party analytics providers could add and remove report-URIs without >> having to get the web site change its server configuration. >> - Better support for CSP in single-page web applications where more sources >> of content are added over lifetime of a single page (e.g. a streaming news >> feed that contains third-party images) >> >> I don't see a security risk to setting the "allow-modification" directive >> (if the attacker could run JavaScript on your site to add a new CSP >> directive, they could already steal your cookies and other private data) but >> it's probably a good idea to make it opt-in just in case. >> >> Collin > >
Received on Friday, 9 December 2011 18:45:39 UTC