Re: [webappsec] more on the right directive for workers from Daniel Veditz on 2013-12-12 (public-webappsec@w3.org from December 2013)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 11 Dec 2013 23:42:40 -0800
To: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <52A968F0.4030408@mozilla.com>

On 12/3/2013 10:11 PM, Brad Hill wrote:
> So, I think that it makes the most sense to create a new directive for
> Workers.

I agree.

> 1) Create "worker-src" and have it govern only workers, shared workers,
> service workers, etc.

What about importScripts() inside a worker? That should be controlled by
the Worker's CSP script-src (if any) I should think.

>   1a) Break compatibility for the small number of resources currently
> using "script-src" to govern workers and hope policy authors upgrade
>   1b) As workers are always less powerful than scripts, have an
> (immediately deprecated) fail-back that anything in "script-src" is
> inherently also allowed as a "worker-src" (but not the other way around)

Will 1b) actually help anything? Unless it's a permanent alias (in which
case why are we bothering?) then at some point we're dealing with the
broken compatibility of 1a anyway. We should investigate how much
breakage there actually will be, but unless it's a lot I lean toward
taking the pain sooner. It will only affect more sites over time.

> 2) Create "child-src" and have it govern all child execution contexts:
> workers, frames, pop-ups

I wish we had started out this way, but now that frame-src is entrenched
this may be too wrenching a change. We would definitely need to continue
supporting frame-src in one of your two variations, and if that's the
case then we haven't gained much as we might as well keep frames and
workers in separate directives.

Also, at the moment workers are restricted to same-origin only. While
that may change in the future, in the present it seems somewhat odd to
have "child-src 'self' blog.mysite.com;". Would authors expect that to
make non-same-origin blog.mysite.com magically allowed in Workers now?

>   2a) Have "frame-src" continue as a deprecated synonym for "child-src"
>   2b) Have "frame-src" as a more restrictive sub-directive of
> "child-src" if present.

Given those two choices I prefer 2b). Keep it for compatibility, but
done expand its functionality. Although 2a would be less work to implement.

-Dan Veditz

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Thursday, 12 December 2013 07:43:09 UTC