- From: Mike West <mkwst@google.com>
- Date: Sun, 13 Jul 2014 09:08:04 +0200
- To: Caleb Queern <cqueern@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
There's been a good bit of discussion about this topic on the list. http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0202.html and http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0105.html are the most recent threads I know of. Do they more or less answer your questions about the use cases <meta> is intended to support? -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Sun, Jul 13, 2014 at 7:17 AM, Caleb Queern <cqueern@gmail.com> wrote: > Hey Mike thanks for the link. > > Here's what was on my mind. (It assumes that we agree having CSP in the > headers is better because it's less easily manipulated or hijacked by an > attacker. Not sure my argument is too sound but if nothing else perhaps > having a quick place in writing where this was discussed may aid curious > folks in the future.) > > Essentially if we allow CSP to be declared in meta tags, we're giving the > world two options. We're saying, > > "Hey world, > > 1. You can communicate CSP using HTTP Headers. This is the best way of doing > things but it's pretty hard for most people most of the time. > > 2. You can also communicate CSP directives using meta tags. This is not > really a good way of doing things but it's really easy for most people most > of the time." > > My concern / fear is that looking back we'll find that we'll regret making > it easy for most people to do things in a way we think is less secure, and > we'll have a lot of moments where we say "duh, of course everybody messed > that up; maybe it was naive for us to think they'd take the extra steps to > do it the harder and better way". > > I understand that there are scenarios when folks can't modify headers and > offering CSP via meta tags would be their only option. I just wonder if the > risk introduced by allowing CSP in meta tags is really justified by the > perceived benefit. > > Perhaps this concern has already been addressed somewhere and I missed it, > but since you said now's the right time to have opinions about it... > > > > > On Fri, Jul 11, 2014 at 7:52 AM, Mike West <mkwst@google.com> wrote: >> >> http://www.w3.org/TR/CSP2/#delivery-html-meta-element is what made it >> to the Last Call draft. Now's the right time to have opinions about >> it, either way. :) >> >> -mike >> -- >> Mike West <mkwst@google.com> >> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 >> >> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany >> Registergericht und -nummer: Hamburg, HRB 86891 >> Sitz der Gesellschaft: Hamburg >> Geschäftsführer: Graham Law, Christine Elizabeth Flores >> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) >> >> >> On Fri, Jul 11, 2014 at 2:10 AM, Caleb Queern <cqueern@gmail.com> wrote: >> > Hey gang, >> > >> > Been lurking a while... first time posting to the distro. >> > >> > I wanted to see where things lie with the proposal to allow CSP >> > declarations >> > via meta tags. Has that gotten the green light, or is that still under >> > debate? >> > >> > Caleb > > > > > -- > Caleb > 571-228-8011
Received on Sunday, 13 July 2014 07:08:51 UTC