W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

CSP3: DOM API Strawman

From: Mike West <mkwst@google.com>
Date: Mon, 3 Nov 2014 14:24:45 +0100
Message-ID: <CAKXHy=d+_ivyvWLQQep14s3xmiLx=55+H5zJYaiUccyf89y-uQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Alex Russell <slightlyoff@google.com>, Yehuda Katz <wycats@gmail.com>
I've started putting together a strawman DOM API for discussion:
https://w3c.github.io/webappsec/specs/content-security-policy/#strawman-dom-api

The current mishmash of IDL should (I think) support everything necessary
for source list directives like `script-src`. It'll need more work to
support things like `sandbox`, `referrer`, etc. There's not enough
explanation, but the general outline of a policy declaration could look
something like:

    // Assuming a Service Worker:
    self.addEventListener('fetch', function(event) {
      var p = new SecurityPolicy("script-src https://example.com");
      if (!p.allowRequest(event.request))
        event.respondWith(Response.error());
      ...
    });

I know there's not a lot of detail there, but perhaps it's enough to kick
off a conversation? CCing folks that I know are interested. :)

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 3 November 2014 13:25:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC