- From: Mike West <mkwst@google.com>
- Date: Wed, 2 May 2012 09:59:59 -0700
- To: public-webappsec@w3.org
- Message-ID: <CAKXHy=en6Y+ioai=K=aB2=BnPC1V_S6z9Pww=mQLH4tqVPemkg@mail.gmail.com>
Hello, lovely public-webappsec folks, Frameworks are starting to build in support for CSP, which is excellent (AngularJS is the first I've seen: http://docs.angularjs.org/api/angular.module.ng.$compileProvider.directive.ngCsp). The implementation exposes a gap in the current spec, however, which I think is worth taking a look at. In a nutshell, Angular requires manual intervention to enable CSP. If they could programmatically detect the boundaries of a site's currently active policy, they could fork implementation internally without bothering the developer. Angular's dev has explicitly requested such an API, and Modernizr has taken an initial stab at a detection script for one piece of policy. It's clearly a poor solution, but it's all they can do at the moment: https://github.com/Modernizr/Modernizr/pull/565. Given the need, I'd suggest that a feature detection API be added to the spec explicitly. I've jotted down a strawman proposal at https://mikewest.org/2012/05/content-security-policy-feature-detection that I'd appreciate some feedback on. Here are the TL;DR highlights: 1. Add `document.contentSecurityPolicy` object in browsers that support CSP.. 2. Detect whether a policy has been set via a `document.contentSecurityPolicy.active` boolean property. 3. Detect the state of the policy by querying against the whitelist via the boolean return value from `document.contentSecurityPolicy.isWhitelisted([directive], [URL / keyword])`. Angular's use case ("Is `new Function()` available?") could be served by forking implementation based on the return value of `document.contentSecurityPolicy.isWhitelisted('script-src', 'unsafe-eval')`.. How does this sound to you folks? -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Wednesday, 2 May 2012 21:13:50 UTC