[CSP] different perspective on Report-Only from Ludwig, Sven on 2014-12-27 (public-webappsec@w3.org from December 2014)

From: Ludwig, Sven <Sven.Ludwig@senacor.com>
Date: Sat, 27 Dec 2014 01:40:44 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <72f60ae55d3f49d4b20c3aaca23f9d6d@FDHSENEX01.senacormail.de>

Hi,

following the excellent talk https://www.youtube.com/watch?v=pocsv39pNXA by Adam Barth, CSP supports setting multiple policies (i.e. multiple Content-Security-Policy headers) in a response, which then all must be fulfilled. One reason for this principle as mentioned in the talk is that an attacker might somehow be able to add his own CSP header to the response, however without replacing existing headers coming from the server. In this case the attack does not open up security, because additional Content-Security-Policy headers can only introduce more restrictions.

Having said that, the header Content-Security-Policy-Report-Only could be considered by an attacker to add, to open up security.

Right now I am not sure if this could be an issue.

If any Content-Security-Policy headers have precedence over any Content-Security-Policy-Report-Only headers, the attacker would still not be able to open up security in the above mentioned way. Actually, I expect it to work like that. This should be mentioned in the section http://www.w3.org/TR/CSP2/#content-security-policy-report-only

Kind Regards,
Sven

Sven Ludwig
______________________________
Senacor Technologies AG
Joseph-Schumpeter-Allee 1
53227 Bonn

T +49 (228) 7636 - 204
F +49 (228) 7636 - 100
M +49 (172) 81 40 733

Sven.Ludwig@senacor.com
www.senacor.com

Senacor Technologies Aktiengesellschaft - Sitz: Schwaig b. Nbg. - Amtsgericht Nbg.- Reg.-Nr.: HRB 23098
Vorstand: Matthias Tomann, Marcus Purzer - Aufsichtsratsvorsitzender: Mathias J. Lindermeir

Diese E-Mail inklusive Anlagen enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie
nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten, informieren Sie bitte den Absender
und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist
nicht gestattet.

This e-mail including any attachments may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please notify the sender immediately and
destroy this e-mail. Any unauthorized copying, disclosure or distribution of the materials in this e-mail is
strictly forbidden.

Received on Saturday, 27 December 2014 16:37:00 UTC