Re: [webappsec] CSP META tag support - keep or remove?

On Mon, Mar 26, 2012 at 3:27 PM, Hill, Brad <bhill@paypal-inc.com> wrote:
> On the last conference call, we resolved to remove the policy-uri directive from the CSP 1.0 specification.
>
> One of the suggested alternatives was the META tag.  We currently have only one implementation of META support, so this feature is also in danger.
>
> I'd like to hear opinions on whether we should keep or remove this feature from v 1.0.
>
> My initial take is:
>
> Pro:
> * Support static documents loaded by file: , data: or other non-HTTP methods
> * Get around header size restrictions for very complex policies
> * We have heard reports that the META tag is used to delay policy enforcement: to pre-load some resources outside of CSP restrictions, then inject it into a page to "lock it down".  If this is to be a supported use-case, I think we need to update the spec to make this very explicit.
>
> Con:
> * META policies can be overridden in the case of a header injection vulnerability. (though that is usually a game-over vulnerability, anyway, given HTTP response splitting possibilities)
> * META policies significantly complicate the task of intermediaries who may wish to inspect resources for CSP compliance and inject/combine additional policy tokens, especially if the tag can appear anywhere in a resource
>
> Thoughts?

There's also a con that we need to worry about attackers injecting
<meta> elements with markup injection vulnerabilities (not just header
injection vulnerabilities).

That said, I believe we should support the <meta> element because of
the third "pro" above.  Specifically, in working with folks who have
complex web applications, it's much easier for them to deploy CSP
incrementally by moving the <meta> element earlier and earlier in
their load process until it's at the beginning and they can switch to
using the header.

Adam

Received on Monday, 26 March 2012 23:35:54 UTC