Re: Header Policy Vs. Meta tag policy

On Wed, Jun 11, 2014 at 8:55 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> I agree with you. I think we should definitely encourage the ability to
> lock down further via multiple policies.
>

Hooray!


> I glanced over the directive list and I wonder if whitelisting does
> suffice: how about we only allow all *-src and form-action in the meta
> element? It does seem conceptually clearer than the blacklisting approach,
> where we have to think about threats every time a new directive is added.
>

What about 'plugin-types'? What about 'referrer'? What about
'frame-ancestors'? I can see value in all three.

Basically, I think we have to think about the threats for all of the
directives anyway (and there are only 18 of them). It's clearly bad to
screw around with XSS protections (
https://github.com/w3c/webappsec/commit/814d990604ccc4968a259d261866a13802b41461).
It's clearly bad to turn on reporting. Sandboxing is fairly ineffective
once the page has loaded.

It seems like there are reasonable arguments for allowing the rest of the
directives. *shrug* We could certainly just whitelist (all of) those, and
then do the same exercise again when we add new directives in 1.2.

-mike

Received on Thursday, 12 June 2014 07:20:55 UTC