Re: [webappsec] Call for Consensus: CSP 1.1 to FPWD from Adam Barth on 2012-11-28 (public-webappsec@w3.org from November 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 27 Nov 2012 16:01:29 -0800
To: Fred Andrews <fredandw@live.com>
Cc: "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAJE5ia-vJ6r+us1pQSaXkdSAmOuNZkoDeFXqEeE3nTbCMLBzrA@mail.gmail.com>

On Tue, Nov 27, 2012 at 3:45 PM, Fred Andrews <fredandw@live.com> wrote:
> Dear Brad,
>
> Using a <meta> element for the CSP is problematic and I recommend it be
> moved to an attribute on the <html> element.  Further I recommend that
> injection of such an attribute be ignored so that only the static markup can
> have any effect.
>
> Using a <meta> element opens a range of complex issues, such as
> synchronizing the start of a CSP with ongoing asynchronous page load actions
> and the retrospective application of restrictions to running JS contexts.
> To make it reliable might require the introduction of a dependency notation
> and this may not be worth the effort.

This is good feedback for the working group for after we've published
a FPWD.  Perhaps we should raise an ISSUE so that we're sure to
address your concerns before moving to the next stage of the W3C
process.

Adam


> The security work of PUA CG requires a static mechanism for specifying the
> CSP to avoid the initiation of the CSP being used to leak information and a
> <html> attribute will likely be used to avoid having to reading ahead for a
> CSP <meta> element.   This appears much easier to implement and would be a
> subset of the proposed CSP 1.1 <meta> element and perhaps it would be
> adequate and better suit browser vendors anyway.
>
> cheers
> Fred
>
> ________________________________
> From: bhill@paypal-inc.com
> To: public-webappsec@w3.org
> Date: Tue, 27 Nov 2012 22:01:20 +0000
> Subject: [webappsec] Call for Consensus: CSP 1.1 to FPWD
>
>
> This is a Call for Consensus among the WebAppSec WG to accept the following
> draft of CSP 1.1 as a First Public Working draft:
>
>
>
> https://dvcs.w3.org/hg/content-security-policy/raw-file/48bed86c418d/csp-specification.dev.html
>
>
>
> CSP 1.1 extends CSP 1.0 and defines several new elements of policy
> mechanism:
>
>
>
> * an HTML <meta> Element
>
> * Script Interfaces
>
> * Directory path Source Expressions
>
> * Media Type lists
>
>
>
> As well as a number of new directives:
>
>
>
> * form-action
>
> * script-nonce
>
> * plugin-types
>
> * reflected-xss
>
>
>
> Please send comments to public-webappsec@w3.org , positive feedback is
> encouraged.
>
>
>
> This CfC will end on December 4, 2012.
>
>
>
> Thank you,
>
>
>
> Brad Hill
>
>

Received on Wednesday, 28 November 2012 00:02:30 UTC