W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: Meta tag verification

From: Joel Weinberger <jww@chromium.org>
Date: Mon, 10 Mar 2014 18:08:26 -0700
Message-ID: <CAHQV2Knv7mS-93Sa4_94Sytb9Q-h5tC_w9=Dpza53nw-zG2S7w@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Mar 3, 2014 at 1:38 PM, Devdatta Akhawe <dev.akhawe@gmail.com>wrote:

> > Namely, it seems a little too easy to shoot oneself in the foot by doing
> > something as simple as putting a title tag with user content above it.
>
> How? The mental model I have of CSP is that it mostly constrains
> behavior, does not give new capabilities. So, injecting a new CSP
> policy should mostly not be an issue. Am I missing some attack?
>
script/style-hash/nonce?

On a more philosophical level, I also don't think we should restrict
ourselves to not granting new capabilities. We've listed at least 5
directives now where that does happen, and I'd hate to label these as
"special cases" only to have more special cases pop up over time.

>
> At a glance, the only directives that don't constrain further are with
> the report-uri, reflected-xss, and referrer directive. If so, for meta
> element CSP policies, maybe we can (a) limit report-uris to
> same-origin (or disallow), (b) disallow 'allow' for reflected-xss, and
> (c) disallow 'unsafe-url' for referrer.
>
>
> ~Dev
>
Received on Tuesday, 11 March 2014 01:08:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC