[CSP] <meta> clarifications from Brian Smith on 2014-11-09 (public-webappsec@w3.org from November 2014)

From: Brian Smith <brian@briansmith.org>
Date: Sun, 9 Nov 2014 14:48:43 -0800
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt4qG2JD9S8-45yn8AdSSpLvPRbkWqPQJfov6NYhZMWHQw@mail.gmail.com>

The current draft says "Authors are strongly encouraged to place the
meta element as early in the document as possible to reduce the risk
of content injection before a protective policy can be read and
enforced."

I think this is reasonable. But, I think it would be better to replace
"to reduce the risk of content injection before a protective policy
can be read and enforced" with the more general statement "because
policies in meta elements are not applied to content that precedes
them". Also, I think some illustrative examples will help people
understand what this means. I provide some examples below.

Also, I think that the specification should say something like "The
user agent SHOULD report a warning message in the developer console
when a <meta> CSP policy follows an element that would have been
restricted if the <meta> element had preceded it."

Also, the current draft says "the meta element" but I think it should
instead acknowledge the possibility of multiple "meta elements" and
mention that all of the meta elements are combined together with the
rest of the policies from the HTTP headers.

Also, this section has a note that says "The general mechanism for
determining the effect of enforcing multiple policies is detailed in
§3.5 Enforcing multiple policies." But, section 3.5 says "This section
is not normative." The reference should be changed to reference the
normative text for combining policies.

Cheers,
Brian

<!DOCTYPE html>
<meta charset="UTF-8">
<!-- WARNING: CSP in <meta> will not block this script! -->
<script>alert("before!")</script>
<meta http-equiv=Content-Security-Policy content="script-src 'none'">
<!-- CSP in <meta> will block this script. -->
<script>alert("after!")</script>

<!DOCTYPE html>
<meta charset="UTF-8">
<!-- WARNING: CSP in <meta> will not restrict this change of base. -->
<base href='//bad.example.com'>
<meta http-equiv=Content-Security-Policy content="base-uri 'none';">
<!-- This is a.js from bad.example.com! -->
<script src=a.js>

<!DOCTYPE html>
<meta charset="UTF-8">
<!-- WARNING: CSP in <meta> will not block this stylesheet! -->
<link rel=stylesheet href=//bad.example.com/bad.css>
<meta http-equiv=Content-Security-Policy content="style-src 'none'">

Received on Sunday, 9 November 2014 22:49:10 UTC