Re: Multiple Content-Security-Policy headers from Tanvi Vyas on 2012-05-08 (public-webappsec@w3.org from May 2012)

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Tue, 08 May 2012 11:17:15 -0700
To: Daniel Veditz <dveditz@mozilla.com>
CC: Adam Barth <w3c@adambarth.com>, public-webappsec@w3.org
Message-ID: <4FA9632B.2020809@mozilla.com>

Thinking about this a bit more, I like Adam's proposed method - take 
each source through all policies, if a source is forbidden by any one of 
them, the source is not allowed.

This method is more future proof and doesn't require the spec to specify 
intersections per directive.  Suppose that in the future we have a 
directive "fruit" with 2 possible values - "apples" and "oranges".  
Neither directive value is safer than the other, but one policy may have 
the value "apples" and another may have the value "oranges".  Using this 
method, "apples" will only be allowed if it passes all policies.  (The 
corresponding intersection rule for this directive would then be to only 
include this directive in the combined policy if it exists in all 
policies with the same value.  Otherwise, don't include this directive 
at all.)

As far as implementation, browser vendors could decide (for performance 
reasons) to create per directive intersection rules that would yield the 
same behavior as this method.

One question - what would happen if the two policies had different 
report-uris?  If we follow this heuristic, we wouldn't send any reports, 
correct?

~Tanvi

On 5/7/12 6:07 PM, Daniel Veditz wrote:
> On 5/7/12 3:36 PM, Adam Barth wrote:
>> On Mon, May 7, 2012 at 3:29 PM, Tanvi Vyas<tanvi@mozilla.com>  wrote:
>>> Instead, what if we set precedence for different types of headers.  If
>>> firefox see's Content-Security-Policy and X-Content-Security-Policy, it
>>> ignores X-Content-Security-Policy.  If Webkit sees Content-Security-Policy
>>> and X-WebKit-CSP, it ignores X-WebKit-CSP.  If either browser see's two of
>>> the same headers (2 Content-Security-Policy, 2 X-Content-Security-Policy, or
>>> 2 X-Webkit-CSP), set the policy to default-src 'none'.
>> I'd rather not spec what implementations should do with
>> vendor-prefixed headers, if we can avoid it.
>>
>> I guess I was mistaken.  I thought you and dveditz preferred that the
>> user agent combined multiple policies.  If you and Dan would prefer
>> that multiple Content-Security-Policy headers cause the user agent to
>> enforce default-src 'none', I'm happy to update the spec to require
>> that.
> We definitely prefer combined policies; it seems far more useful
> than default-src 'none'. Whether you apply each in series or try to
> intersect them for performance reasons is an implementation detail
> that should lead to the same result. We're fine having it specified
> that clients should behave "as if" they were combined that way.
>
> Whether the standard header should obsolete any experimental ones or
> combine with it is a separate issue and was the main thrust of
> Tanvi's mail. I've been assuming we'd obsolete the
> experimental/prefixed versions but you're not wrong that it might be
> useful for experimentation with future features. Probably better
> than prefixed directives, anyway.
>
> -Dan Veditz

Received on Tuesday, 8 May 2012 18:17:39 UTC