Re: CSP 1.1: More granular source list definitions. from Mike West on 2012-07-03 (public-webappsec@w3.org from July 2012)

From: Mike West <mkwst@google.com>
Date: Tue, 3 Jul 2012 14:23:08 -0500
To: Odin Hørthe Omdal <odinho@opera.com>
Cc: public-webappsec@w3.org
Message-ID: <CAKXHy=eqN=Kw5aQbP4QaOT+pCwrG48jOa0B9ohFybnGFywjsPQ@mail.gmail.com>

Note that WebKit only started complying with CSP 1.0's spec on this point
about two weeks ago (http://trac.webkit.org/changeset/120540). Prior to
that point, it was (silently) erroring off on the whole source.

Given that history, we might have success at preparing the way for
granularity in 1.1 by adding a warning to 1.0 implementations now, noting
that the path component is being ignored. That would be lighter-weight than
a version component.

-mike

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Mon, Jul 2, 2012 at 6:45 AM, Odin Hørthe Omdal <odinho@opera.com> wrote:

> On Fri, 22 Jun 2012 11:31:41 +0200, Mike West <mkwst@google.com> wrote:
>
>> One of the proposals for CSP 1.1 is additional granularity in source
>> paths (http://www.w3.org/Security/**wiki/Content_Security_Policy#**
>> Proposals_for_Version_1.1<http://www.w3.org/Security/wiki/Content_Security_Policy#Proposals_for_Version_1.1>).
>> I think this additional granularity is well worth perusing
>>
>
> I think so too. There's many places in CSP that I think it's a bit too
> granular and rather too complex IMHO, but this case seems a quite common
> way to give some additional security to smaller sites.
>
> In fact, it was also the first thing that came up when I talked with
> hackers making a small locally hosted image gallery software.
>
> You can work around it by having a userfiles domain, but it would
> complicate the setup procedure immensely.
>
>
>
> The problem with how the spec is doing things now (throwing away path
> component) is that sites using CSP (1.0) will no doubt have errors. They'll
> write script-src: http://my-site.com/js/ and use scripts from js, except
> for that one time they use one on /my-demo/js.js and it works anyway so
> they actually don't think about it.
>
> So if CSP 1.0 is allowed to live a long time in a browser, the behavior we
> have now might actually be mandatory for site-compat.
>
> --
> Odin Hørthe Omdal (Velmont/odinho) · Core, Opera Software,
> http://opera.com
>
>

Received on Tuesday, 3 July 2012 19:24:01 UTC