W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

[CSP] Rule referencing

From: Alex Sexton <alexsexton@gmail.com>
Date: Wed, 16 Jul 2014 15:20:24 -0700
Message-ID: <CAGZtyER3fLgXos0KhREPsGvwnsjp=oRjh-WPPwpL0jg+O2y+Gg@mail.gmail.com>
To: public-webappsec@w3.org
Hi all!

I often find that my CSP rules in more complex apps often get very large,
but also very repetitive. I think there is probably some sugar that could
dramatically reduce the size and mental overhead of writing the rules. (But
I also understand that shipping quickly, without sugar is the right initial
path).

So for your future consideration, I'd like to propose some way of aliasing,
or referencing rules (or just one rule). A few ideas:


1) Adding the 'default' rule, that points at 'default-src'

default-src 'self' foo.com; img-src 'default' bar.com;

which would desugar into:

default-src 'self' foo.com; img-src 'self' foo.com bar.com;



2) Allowing a reference to any top-level rule

default-src 'self' foo.com; img-src 'default-src' bar.com; style-src
'img-src' baz.com;

which would desugar into:

default-src 'self' foo.com; img-src 'self' foo.com bar.com; style-src
'self' foo.com bar.com baz.com;


3) Allowing variables

(I don't actually like this idea enough to type it all out, but you could
have `--common-src` and reference it, much like css intends on doing in the
future)


--

The only problem this would cause, in my experience (but I am by no means a
comprehensive test), would be that I often want to take the common case,
and *remove* one rule. These solutions are mostly additive in nature.

I also understand that the savings don't seem very impressive with these
1-tiny-domain example urls. In practice, I have many more, much longer,
fully qualified paths and domains and protocols. It would absolutely cut
down the total size of the header (by far my biggest), as well as allow me
to make changes to the rules more easily (though I more or less wrote a
transpiler that does this, so it'd be more for other future users :D).


Thanks for your eyes/ears!

-- 
Alex Sexton
Received on Wednesday, 16 July 2014 22:21:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC