Re: CSP declarations in html meta tags from Caleb Queern on 2014-07-13 (public-webappsec@w3.org from July 2014)

From: Caleb Queern <cqueern@gmail.com>
Date: Sat, 12 Jul 2014 22:17:49 -0700
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEnXMMoCM_Oa8K=74q5Cb_6NZY7D1oeeUfiUxOrhw3FJFwpMyA@mail.gmail.com>

Hey Mike thanks for the link.

Here's what was on my mind. (It assumes that we agree having CSP in the
headers is better because it's less easily manipulated or hijacked by an
attacker. Not sure my argument is too sound but if nothing else perhaps
having a quick place in writing where this was discussed may aid curious
folks in the future.)

Essentially if we allow CSP to be declared in meta tags, we're giving the
world two options. We're saying,

"Hey world,

1. You can communicate CSP using HTTP Headers. This is the best way of
doing things but it's pretty hard for most people most of the time.

2. You can also communicate CSP directives using meta tags. This is not
really a good way of doing things but it's really easy for most people most
of the time."

My concern / fear is that looking back we'll find that we'll regret making
it easy for most people to do things in a way we think is less secure, and
we'll have a lot of moments where we say  "duh, of course everybody messed
that up; maybe it was naive for us to think they'd take the extra steps to
do it the harder and better way".

I understand that there are scenarios when folks can't modify headers and
offering CSP via meta tags would be their only option. I just wonder if the
risk introduced by allowing CSP in meta tags is really justified by the
perceived benefit.

Perhaps this concern has already been addressed somewhere and I missed it,
but since you said now's the right time to have opinions about it...

On Fri, Jul 11, 2014 at 7:52 AM, Mike West <mkwst@google.com> wrote:

> http://www.w3.org/TR/CSP2/#delivery-html-meta-element is what made it
> to the Last Call draft. Now's the right time to have opinions about
> it, either way. :)
>
> -mike
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
>
> On Fri, Jul 11, 2014 at 2:10 AM, Caleb Queern <cqueern@gmail.com> wrote:
> > Hey gang,
> >
> > Been lurking a while... first time posting to the distro.
> >
> > I wanted to see where things lie with the proposal to allow CSP
> declarations
> > via meta tags. Has that gotten the green light, or is that still under
> > debate?
> >
> > Caleb
>

-- 
Caleb
571-228-8011

Received on Sunday, 13 July 2014 05:18:16 UTC