CSP feature detection.

Hello, lovely public-webappsec folks,

Frameworks are starting to build in support for CSP, which is excellent
(AngularJS is the first I've seen:
http://docs.angularjs.org/api/angular.module.ng.$compileProvider.directive.ngCsp).
The implementation exposes a gap in the current spec, however, which I
think is worth taking a look at. In a nutshell, Angular requires manual
intervention to enable CSP. If they could programmatically detect
the boundaries of a site's currently active policy, they could fork
implementation internally without bothering the developer.

Angular's dev has explicitly requested such an API, and Modernizr has taken
an initial stab at a detection script for one piece of policy. It's clearly
a poor solution, but it's all they can do at the moment:
https://github.com/Modernizr/Modernizr/pull/565.

Given the need, I'd suggest that a feature detection API be added to the
spec explicitly. I've jotted down a strawman proposal at
https://mikewest.org/2012/05/content-security-policy-feature-detection that
I'd appreciate some feedback on. Here are the TL;DR highlights:

1. Add `document.contentSecurityPolicy` object in browsers that support CSP..
2. Detect whether a policy has been set via a
`document.contentSecurityPolicy.active` boolean property.
3. Detect the state of the policy by querying against the whitelist via the
boolean return value from
`document.contentSecurityPolicy.isWhitelisted([directive], [URL /
keyword])`.

Angular's use case ("Is `new Function()` available?") could be served by
forking implementation based on the return value of
`document.contentSecurityPolicy.isWhitelisted('script-src', 'unsafe-eval')`..

How does this sound to you folks?

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Received on Wednesday, 2 May 2012 21:13:50 UTC