W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: CSP declarations in html meta tags

From: Mike West <mkwst@google.com>
Date: Sun, 13 Jul 2014 09:08:04 +0200
Message-ID: <CAKXHy=fUp9S801YNHgJJXZ5ptE+B_19W-AdbdFbKQ7DX+s1ELA@mail.gmail.com>
To: Caleb Queern <cqueern@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
 There's been a good bit of discussion about this topic on the list.
http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0202.html
and http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0105.html
are the most recent threads I know of.

Do they more or less answer your questions about the use cases <meta>
is intended to support?

-mike
--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Sun, Jul 13, 2014 at 7:17 AM, Caleb Queern <cqueern@gmail.com> wrote:
> Hey Mike thanks for the link.
>
> Here's what was on my mind. (It assumes that we agree having CSP in the
> headers is better because it's less easily manipulated or hijacked by an
> attacker. Not sure my argument is too sound but if nothing else perhaps
> having a quick place in writing where this was discussed may aid curious
> folks in the future.)
>
> Essentially if we allow CSP to be declared in meta tags, we're giving the
> world two options. We're saying,
>
> "Hey world,
>
> 1. You can communicate CSP using HTTP Headers. This is the best way of doing
> things but it's pretty hard for most people most of the time.
>
> 2. You can also communicate CSP directives using meta tags. This is not
> really a good way of doing things but it's really easy for most people most
> of the time."
>
> My concern / fear is that looking back we'll find that we'll regret making
> it easy for most people to do things in a way we think is less secure, and
> we'll have a lot of moments where we say  "duh, of course everybody messed
> that up; maybe it was naive for us to think they'd take the extra steps to
> do it the harder and better way".
>
> I understand that there are scenarios when folks can't modify headers and
> offering CSP via meta tags would be their only option. I just wonder if the
> risk introduced by allowing CSP in meta tags is really justified by the
> perceived benefit.
>
> Perhaps this concern has already been addressed somewhere and I missed it,
> but since you said now's the right time to have opinions about it...
>
>
>
>
> On Fri, Jul 11, 2014 at 7:52 AM, Mike West <mkwst@google.com> wrote:
>>
>> http://www.w3.org/TR/CSP2/#delivery-html-meta-element is what made it
>> to the Last Call draft. Now's the right time to have opinions about
>> it, either way. :)
>>
>> -mike
>> --
>> Mike West <mkwst@google.com>
>> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>>
>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
>> Registergericht und -nummer: Hamburg, HRB 86891
>> Sitz der Gesellschaft: Hamburg
>> Geschäftsführer: Graham Law, Christine Elizabeth Flores
>> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>>
>>
>> On Fri, Jul 11, 2014 at 2:10 AM, Caleb Queern <cqueern@gmail.com> wrote:
>> > Hey gang,
>> >
>> > Been lurking a while... first time posting to the distro.
>> >
>> > I wanted to see where things lie with the proposal to allow CSP
>> > declarations
>> > via meta tags. Has that gotten the green light, or is that still under
>> > debate?
>> >
>> > Caleb
>
>
>
>
> --
> Caleb
> 571-228-8011
Received on Sunday, 13 July 2014 07:08:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC