Re: Meta tag verification

On Mon, Mar 3, 2014 at 1:38 PM, Devdatta Akhawe <dev.akhawe@gmail.com>wrote:

> > Namely, it seems a little too easy to shoot oneself in the foot by doing
> > something as simple as putting a title tag with user content above it.
>
> How? The mental model I have of CSP is that it mostly constrains
> behavior, does not give new capabilities. So, injecting a new CSP
> policy should mostly not be an issue. Am I missing some attack?
>
script/style-hash/nonce?

On a more philosophical level, I also don't think we should restrict
ourselves to not granting new capabilities. We've listed at least 5
directives now where that does happen, and I'd hate to label these as
"special cases" only to have more special cases pop up over time.

>
> At a glance, the only directives that don't constrain further are with
> the report-uri, reflected-xss, and referrer directive. If so, for meta
> element CSP policies, maybe we can (a) limit report-uris to
> same-origin (or disallow), (b) disallow 'allow' for reflected-xss, and
> (c) disallow 'unsafe-url' for referrer.
>
>
> ~Dev
>

Received on Tuesday, 11 March 2014 01:08:54 UTC