Re: Proposal to remove the 'frame-action' directive from CSP 1.1 from Mike West on 2012-06-11 (public-webappsec@w3.org from June 2012)

From: Mike West <mkwst@google.com>
Date: Mon, 11 Jun 2012 19:22:07 +0200
To: Adam Barth <w3c@adambarth.com>
Cc: Eric Chen <eric.chen@sv.cmu.edu>, public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
Message-ID: <CAKXHy=eL9qJHe45aCskqY=t=XpVUSs1zO74Y4GndSxMQTHT6Ug@mail.gmail.com>

On Mon, Jun 11, 2012 at 7:12 PM, Adam Barth <w3c@adambarth.com> wrote:

> What about form-action 'none'.  Is that still useful?
>
> Also, you might expect that web sites that implement CSP are more
> interested in security and therefore more likely to be part of the 60%
> that protect themselves from CSRF.
>

I'd also note that combining `form-action` with the proposal for more
granular (directory level) sources would make the directive more effective
than the paper presupposes. Authors would have the ability to lock a page
down to submitting forms to specific recipients on their own origin, which
would be a fairly powerful defense.

-mike

Received on Monday, 11 June 2012 17:22:58 UTC