[CSP] An outline of a taxonomy of CSP directives


Today I attempted to read the CSP 2 draft straight through, but I ran
out of time. I did so because I was hoping to try to factor out the
common elements of the various directives to form a taxonomy. My goal
was to find things that SHOULD be similar but which are not actually
specified the same way and/or where the similarities or differences
are not clear, with the goal of trying to nudge more things towards
working the same way. But, it turns out this is actually more time
consuming than I thought it would be. Here is an outline of the
taxonomy I've created so far. Do other people agree that this is what
is intended in the draft spec?

One thing I noticed during this exercise is that how violation reports
are sent or not sent is often unclear for each directive.

I've included the outline as a plain text attachment, and inline
below. I half expect the mailing list to butcher both.


* Purely Restrictive Directives
  * Consistent properties of Purely Restrictive Directives
    * Always safe to add to a document because combining rules
      work similarly?

  * Subresource Directives
    * Consistent properties of Subresource Directives
      * Apply to subresources within the document,
        not to the document itself.
      * <meta> works intuitively
      * Reporting works intuitively
        (except maybe nonces in reports may be problematic)

    * Subresource Source List directives
      * Consistent properties of Subresource Source List Directives
        * defaulted with default-src
      * child-src
      * connect-src
      * default-src (special)
      * font-src
      * frame-src
      * img-src
      * media-src
      * object-src
      * script-src
      * style-src

    * Other Subresource Directives
      * base-uri
      * form-action
      * plugin-types

  * Document Directives
    * Consistent properties of Document Directives
      * Apply to the document, not subresources
      * Ignored within meta
    * sandbox
      * Unique reporting rules? (unclear)
    * frame-ancestors
      * Unique reporting rules, with unique security
        considerations for reporting (unclear)

* Things that are not purely restrictive and may be dangerous
  * Consistent properties of these things
    * Keep security researchers employed indefinitely
    * Kill kittens
    * Make babies cry
  * referrer
    * Applies to subresources AND (uniquely) navigation
    * Allowed in <meta>
    * Custom (and suboptimal) combining rule
    * Reporting is not applicable
  * reflected-xss
    * Ignored in <meta>
    * Unspecified combining rule
    * Reporting is unspecified
    * Semantics unspecified
  * report-uri
    * Ignored in <meta>
    * Custom combining rule
    * Reporting is not applicable

Received on Thursday, 6 November 2014 07:19:06 UTC