- From: Tanvi Vyas <tanvi@mozilla.com>
- Date: Tue, 25 Sep 2012 13:39:53 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <50621699.1040901@mozilla.com>
Emailed Mike with some concerns, and Mike responded. Sharing this with the list. -------- Original Message -------- Subject: Re: CSP 1.1: Paths in source list definitions. Date: Tue, 25 Sep 2012 07:03:15 +0200 From: Mike West <mkwst@google.com> To: Tanvi Vyas <tanvi@mozilla.com> CC: dveditz@mozilla.com <dveditz@mozilla.com> Hey Tanvi, Dan! Thanks for reaching out. Responses inline. On Tue, Sep 25, 2012 at 12:11 AM, Tanvi Vyas <tanvi@mozilla.com <mailto:tanvi@mozilla.com>> wrote: I'm a little concerned that it doesn't allow file level restrictions , since the developer implementing the policy may not have control of the server that hosts a file included in his/her website. Assumestartup.com <http://startup.com/> wants to include newanalytics.com/js/analytics.js <http://newanalytics.com/js/analytics.js>, but nothing else from newanalytics.com/js <http://newanalytics.com/js>. With the below proposal, startup.com <http://startup.com/> wouldn't be able to write a Content Security Policy that allows only analytics.js. I see the current text as a starting point that captures more or less what I thought the group solidly agreed to, but I do hope it's clear that none of the edits I've made are final in any way. I'm putting out strawmen in the hopes of generating conversations like this one. :) I'd like to do something along these lines. My initial pass at the feature behaved more or less like this, and I think it's a good option. We really only ran with a directory-level implementation because it was simple, was fairly clearly accepted by the group, and we knew we could always increase the granularity later. Perhaps we could distinguish between directories and filenames by looking for a trailing slash followed by a star, so that startup.com <http://startup.com> has an option to choose between newanalytics.com/js/analytics.js <http://newanalytics.com/js/analytics.js> or newanalytics.com/js/* <http://newanalytics.com/js/*>. On the one hand, I like having an explicit wildcard at the end, as it makes it quite clear what's meant. On the other, a trailing '/' is probably just as explicit, and doesn't get us into weird discussions about supporting files named '*'. :) I'd suggest that: * newanalytics.com/js <http://newanalytics.com/js> match a file named "js" * newanalytics.com/js/ <http://newanalytics.com/js/> match all files under a directory named "js", and * newanalytics.com/js/analytics.js <http://newanalytics.com/js/analytics.js> match the specific file "analytics.js" under the directory named "js". Does that make sense? On another note, for query parameters and fragments at the end of source expressions, perhaps we should just truncate that part of the source expression instead of ignoring the source. This makes good sense. Looking back at the discussion Adam and I had while working through the experimental implementation[1], this is actually what we'd agreed on. It somehow morphed into a stricter check during the review process. Note, however, that if we support individual files, we'll likely want to support query parameters as well, since those specify a variant of a file in a way that anchors don't. Wanted to get your thoughts (and Dan's, cc'ed) before I replied to the list. Thanks! Generally, I'd encourage you to post your concerns to the list. The more people we can get involved in the discussion, the more likely it is that the end result will actually be implemented. :) [1]: https://bugs.webkit.org/show_bug.cgi?id=89750#c4 -- Mike West <mkwst@google.com <mailto:mkwst@google.com>>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Tuesday, 25 September 2012 20:40:22 UTC