Re: Proposal: CSP "allow-modification" directive

I wonder whether this use case can wait till a version 1.1.

Think "ad" instead of "widget".  I think that it's pretty important that CSP is compatible with running ads on the pages it's used to protect.

--
Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)







On 2011-12-09, at 00:39 +0100, Adam Barth wrote:

> I agree that there's a use case for including third-party widgets in
> your page without you having to know all the resources that they might
> include.  It's slightly unclear to me what the best delegation
> mechanism might be.  For example, you might want to set a bound like
> "my advertising provider can whitelist hosts for scripting, as long as
> they always use HTTPS."
> 
> In any case, I think this is a use case we should think about for CSP
> 1.1.  I'll add your proposal to the wiki shortly.
> 
> Adam
> 
> 
> On Thu, Dec 8, 2011 at 12:06 PM, Collin Jackson
> <collin.jackson@sv.cmu.edu> wrote:
>> One problem I see with CSP is that it encourages a one-size-fits-all policy
>> for an entire site, whereas in reality each page might want different
>> policies, and a single page might want different policies at different
>> times. I would like to propose a CSP "allow-modification" directive that
>> exposes a JavaScript API for adding new CSP directives to the current page.
>> I envision this would mostly be used by third-party script providers. For
>> example:
>> 
>> - Sites can delegate their CSP policy to third-party security companies on a
>> page-by-page basis. Right now, you can do this on a page-by-page basis with
>> policy-uri, but it has poor cache performance.
>> - Third-party ad networks (e.g. DoubleClick) could choose ad servers
>> dynamically to serve ad content.
>> - Third-party analytics providers could add and remove report-URIs without
>> having to get the web site change its server configuration.
>> - Better support for CSP in single-page web applications where more sources
>> of content are added over lifetime of a single page (e.g. a streaming news
>> feed that contains third-party images)
>> 
>> I don't see a security risk to setting the "allow-modification" directive
>> (if the attacker could run JavaScript on your site to add a new CSP
>> directive, they could already steal your cookies and other private data) but
>> it's probably a good idea to make it opt-in just in case.
>> 
>> Collin
> 
> 

Received on Friday, 9 December 2011 18:45:39 UTC