- From: Joel Weinberger <jww@chromium.org>
- Date: Mon, 10 Mar 2014 18:08:26 -0700
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Tuesday, 11 March 2014 01:08:54 UTC
On Mon, Mar 3, 2014 at 1:38 PM, Devdatta Akhawe <dev.akhawe@gmail.com>wrote: > > Namely, it seems a little too easy to shoot oneself in the foot by doing > > something as simple as putting a title tag with user content above it. > > How? The mental model I have of CSP is that it mostly constrains > behavior, does not give new capabilities. So, injecting a new CSP > policy should mostly not be an issue. Am I missing some attack? > script/style-hash/nonce? On a more philosophical level, I also don't think we should restrict ourselves to not granting new capabilities. We've listed at least 5 directives now where that does happen, and I'd hate to label these as "special cases" only to have more special cases pop up over time. > > At a glance, the only directives that don't constrain further are with > the report-uri, reflected-xss, and referrer directive. If so, for meta > element CSP policies, maybe we can (a) limit report-uris to > same-origin (or disallow), (b) disallow 'allow' for reflected-xss, and > (c) disallow 'unsafe-url' for referrer. > > > ~Dev >
Received on Tuesday, 11 March 2014 01:08:54 UTC