- From: Brian Smith <brian@briansmith.org>
- Date: Wed, 5 Nov 2014 23:18:39 -0800
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAFewVt4b85H1ysYzmVF5PFG0DfdPD+ttmEK4apfwRgOsEhyVrg@mail.gmail.com>
Hi, Today I attempted to read the CSP 2 draft straight through, but I ran out of time. I did so because I was hoping to try to factor out the common elements of the various directives to form a taxonomy. My goal was to find things that SHOULD be similar but which are not actually specified the same way and/or where the similarities or differences are not clear, with the goal of trying to nudge more things towards working the same way. But, it turns out this is actually more time consuming than I thought it would be. Here is an outline of the taxonomy I've created so far. Do other people agree that this is what is intended in the draft spec? One thing I noticed during this exercise is that how violation reports are sent or not sent is often unclear for each directive. I've included the outline as a plain text attachment, and inline below. I half expect the mailing list to butcher both. Cheers, Brian * Purely Restrictive Directives * Consistent properties of Purely Restrictive Directives * Always safe to add to a document because combining rules work similarly? * Subresource Directives * Consistent properties of Subresource Directives * Apply to subresources within the document, not to the document itself. * <meta> works intuitively * Reporting works intuitively (except maybe nonces in reports may be problematic) * Subresource Source List directives * Consistent properties of Subresource Source List Directives * defaulted with default-src * child-src * connect-src * default-src (special) * font-src * frame-src * img-src * media-src * object-src * script-src * style-src * Other Subresource Directives * base-uri * form-action * plugin-types * Document Directives * Consistent properties of Document Directives * Apply to the document, not subresources * Ignored within meta * sandbox * Unique reporting rules? (unclear) * frame-ancestors * Unique reporting rules, with unique security considerations for reporting (unclear) * Things that are not purely restrictive and may be dangerous * Consistent properties of these things * Keep security researchers employed indefinitely * Kill kittens * Make babies cry * referrer * Applies to subresources AND (uniquely) navigation * Allowed in <meta> * Custom (and suboptimal) combining rule * Reporting is not applicable * reflected-xss * Ignored in <meta> * Unspecified combining rule * Reporting is unspecified * Semantics unspecified * report-uri * Ignored in <meta> * Custom combining rule * Reporting is not applicable
Attachments
- text/plain attachment: CSP-taxonomy.txt
Received on Thursday, 6 November 2014 07:19:06 UTC