W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: Header Policy Vs. Meta tag policy

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 11 Jun 2014 10:32:55 -0700
Message-ID: <CAPfop_0uOtPP+TcRLUCauKc_HHgS0J1J_eAfGV0ZyoDwbecksQ@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Mike West <mkwst@google.com>, Kevin Hill <khill@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I am not sure if a meta tag policy only constrains further. Joel started a
related thread a while back [1], and I had mentioned a couple of examples
where (it seemed to me) that an injected policy could add behavior instead
of just constraining further [2]. Joel also mentioned that he was
philosophically opposed to making CSP be "only allows you to constrain
further"[3].

To mitigate this concern, should we try to limit what meta tag policies can
do? For example, do we want to allow an injected policy to add a new
report-uri to attacker.com/logger?

Regards
Dev

[1] http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0001.html
[2] http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0008.html
[3] http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0020.html


On 11 June 2014 09:00, Daniel Veditz <dveditz@mozilla.com> wrote:

> On 6/11/2014 12:20 AM, Mike West wrote:
>
>> Thanks Dan. I agree with your analysis, and I appreciate you withdrawing
>> your objection.
>>
>> I've made this change in
>> https://github.com/w3c/webappsec/commit/f697c40eea84b6c57480c0e3783993
>> a47ebdc3d5
>>
>> WDYT?
>>
>
> To be clear, your change does two things and we were mainly talking about
> the first:
>  * allows use of both HTTP and <meta> CSP
>  * allows use of multiple <meta> CSP
>
> The arguments against (and in favor of) multiple <meta> CSP are pretty
> much the same as the arguments for and against allowing a combination of
> header and <meta> policies. "It's useful, and why not since it can only
> tighten policies" vs. "Injection bug in site might be used to circumvent a
> feature whose main purpose assumes you need protection from injection
> bugs". I'm not objecting to the change, just announcing my intention to sit
> in the corner and fret about the possibility.
>
> -Dan Veditz
>
>
Received on Wednesday, 11 June 2014 17:33:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC