- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 26 Mar 2012 16:34:53 -0700
- To: "Hill, Brad" <bhill@paypal-inc.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Mar 26, 2012 at 3:27 PM, Hill, Brad <bhill@paypal-inc.com> wrote: > On the last conference call, we resolved to remove the policy-uri directive from the CSP 1.0 specification. > > One of the suggested alternatives was the META tag. We currently have only one implementation of META support, so this feature is also in danger. > > I'd like to hear opinions on whether we should keep or remove this feature from v 1.0. > > My initial take is: > > Pro: > * Support static documents loaded by file: , data: or other non-HTTP methods > * Get around header size restrictions for very complex policies > * We have heard reports that the META tag is used to delay policy enforcement: to pre-load some resources outside of CSP restrictions, then inject it into a page to "lock it down". If this is to be a supported use-case, I think we need to update the spec to make this very explicit. > > Con: > * META policies can be overridden in the case of a header injection vulnerability. (though that is usually a game-over vulnerability, anyway, given HTTP response splitting possibilities) > * META policies significantly complicate the task of intermediaries who may wish to inspect resources for CSP compliance and inject/combine additional policy tokens, especially if the tag can appear anywhere in a resource > > Thoughts? There's also a con that we need to worry about attackers injecting <meta> elements with markup injection vulnerabilities (not just header injection vulnerabilities). That said, I believe we should support the <meta> element because of the third "pro" above. Specifically, in working with folks who have complex web applications, it's much easier for them to deploy CSP incrementally by moving the <meta> element earlier and earlier in their load process until it's at the beginning and they can switch to using the header. Adam
Received on Monday, 26 March 2012 23:35:54 UTC