[webappsec] CSP META tag support - keep or remove?

On the last conference call, we resolved to remove the policy-uri directive from the CSP 1.0 specification.

One of the suggested alternatives was the META tag.  We currently have only one implementation of META support, so this feature is also in danger.

I'd like to hear opinions on whether we should keep or remove this feature from v 1.0.

My initial take is:

Pro:
* Support static documents loaded by file: , data: or other non-HTTP methods
* Get around header size restrictions for very complex policies
* We have heard reports that the META tag is used to delay policy enforcement: to pre-load some resources outside of CSP restrictions, then inject it into a page to "lock it down".  If this is to be a supported use-case, I think we need to update the spec to make this very explicit.

Con:
* META policies can be overridden in the case of a header injection vulnerability. (though that is usually a game-over vulnerability, anyway, given HTTP response splitting possibilities)
* META policies significantly complicate the task of intermediaries who may wish to inspect resources for CSP compliance and inject/combine additional policy tokens, especially if the tag can appear anywhere in a resource

Thoughts?

Brad Hill

Received on Monday, 26 March 2012 22:28:28 UTC