- From: Mike West <mkwst@google.com>
- Date: Fri, 1 Jun 2012 20:43:35 +0200
- To: public-webappsec@w3.org
- Message-ID: <CAKXHy=fV2zp=ETrSAPjtno24caa-JVOvYtxJnLQSmfW7dU2ATA@mail.gmail.com>
I've taken a stab at a WebKit implementation of the experimental CSP script interface as currently specified in the 1.1 draft, and have a suggestion for improvement based on that experience. Specific query methods for each of the relevant types that CSP deals with seem simpler to deal with than the current structure. The `SecurityPolicy.isWhitelisted` method does too much at the moment, and requires developers to know too much about how CSP actually works. Asking "Can I run inject a script block onto this page?" requires a developer to understand the directive is named `script-src`, and that the specific value they should test for is 'unsafe-inline'. That's probably too much to ask. Something like `SecurityPolicy.allowInlineScript()` would be more straightforward, as would `SecurityPolicy.allowEval()` and `SecurityPolicy.allowScriptFrom([URL])` and so on. If you're curious, the IDL file I'm running with at the moment is https://github.com/mikewest/webkit/blob/csp11domapi/Source/WebCore/page/DOMSecurityPolicy.idl, and you can see some usage examples in the `securitypolicy-*` tests under https://github.com/mikewest/webkit/tree/csp11domapi/LayoutTests/http/tests/security/contentSecurityPolicy -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Friday, 1 June 2012 18:44:25 UTC