Re: Header Policy Vs. Meta tag policy

I am not sure if a meta tag policy only constrains further. Joel started a
related thread a while back [1], and I had mentioned a couple of examples
where (it seemed to me) that an injected policy could add behavior instead
of just constraining further [2]. Joel also mentioned that he was
philosophically opposed to making CSP be "only allows you to constrain
further"[3].

To mitigate this concern, should we try to limit what meta tag policies can
do? For example, do we want to allow an injected policy to add a new
report-uri to attacker.com/logger?

Regards
Dev

[1] http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0001.html
[2] http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0008.html
[3] http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0020.html


On 11 June 2014 09:00, Daniel Veditz <dveditz@mozilla.com> wrote:

> On 6/11/2014 12:20 AM, Mike West wrote:
>
>> Thanks Dan. I agree with your analysis, and I appreciate you withdrawing
>> your objection.
>>
>> I've made this change in
>> https://github.com/w3c/webappsec/commit/f697c40eea84b6c57480c0e3783993
>> a47ebdc3d5
>>
>> WDYT?
>>
>
> To be clear, your change does two things and we were mainly talking about
> the first:
>  * allows use of both HTTP and <meta> CSP
>  * allows use of multiple <meta> CSP
>
> The arguments against (and in favor of) multiple <meta> CSP are pretty
> much the same as the arguments for and against allowing a combination of
> header and <meta> policies. "It's useful, and why not since it can only
> tighten policies" vs. "Injection bug in site might be used to circumvent a
> feature whose main purpose assumes you need protection from injection
> bugs". I'm not objecting to the change, just announcing my intention to sit
> in the corner and fret about the possibility.
>
> -Dan Veditz
>
>