W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP: Problems with referrer and reflected-xss

From: Chris Palmer <palmer@google.com>
Date: Mon, 16 Jun 2014 11:33:33 -0700
Message-ID: <CAOuvq23Pb4Jh+-MuhXVD7h47c6ZRbKAMA4Efsggbnk_csEydGg@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Brad Hill <hillbrad@gmail.com>, Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jun 16, 2014 at 2:41 AM, Brian Smith <brian@briansmith.org> wrote:

> I don't think that consolidation is happening; look at Public-Key-Pins and
> HSTS and CORS and many other things that are in separate header fields.

FWIW, I tried at first to have HPKP be an extension of HSTS, but the
IETF Working Group didn't want that. I still think it would have been
better if HPKP had been an extension of HSTS.

Generally I strongly support the consolidation for the cognitive load
reason. However, note that there was a lot of concern about header
bloat (e.g. a large set of HPKP pins could be 200 – 400 bytes, and
people were freaking out). I never bought into the bloat idea — I'm a
lot more concerned about all that plain text that nobody remembers to
gzip, and all the 1 MiB JPEGs that have height and width set to 400px
in HTML — but there you have it. Expect pushback on that front.

Another solution floated was to have the security policy expressed as
the resource retrieved from a well-known URI, rather than mashing it
in headers. Then it could be cached and pre-fetched.
Received on Monday, 16 June 2014 18:34:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC