Re: [CSP] Clarifications regarding the HTTP LINK Header from Brian Smith on 2014-11-14 (public-webappsec@w3.org from November 2014)

From: Brian Smith <brian@briansmith.org>
Date: Thu, 13 Nov 2014 19:05:52 -0800
To: Ilya Grigorik <ilya@igvita.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt4+X8-hW2Eq+tpxdhG=8VN_j7+3ytz0CQQe6qifvoZXCA@mail.gmail.com>

On Thu, Nov 13, 2014 at 8:56 AM, Ilya Grigorik <ilya@igvita.com> wrote:
> On Wed, Nov 12, 2014 at 4:24 PM, Brian Smith <brian@briansmith.org> wrote:
>>
>> It's quite a usability failure, though. We're saying "Hey, here's
>> <meta http-equiv=Content-Security-Policy> to make CSP easier for you
>> to use, but don't use it, because it's not equivalent to the HTTP
>> Content-Security-Policy header."
>
> I don't think we should claim that they are equivalent.

The syntax ("http-equiv") literally says they are equivalent!

> For best results you need to define your CSP policy as early as possible.
> Specifying it an HTTP header is the best route, as it guarantees that the
> policy can be parsed and applied before any response body bytes are
> processed. The second best option, if you can't use the HTTP header route,
> is to provide an equivalent policy via <meta>, which should be placed as
> early as possible in the document.

Developer tools should warn whenever anything other than "<!DOCTYPE
html>", "<html>", "<head>", or "<meta charset=...>" appear before
"<meta http-equiv=Content-Security-Policy>", regardless of whether it
applies to Link headers.

> I don't think we want to get into the business of "must be in first X bytes"
> -- this, by itself, is a usability problem. Similarly, requiring that we
> wait for <meta> would, once again, force proxies to start flushing fake head
> sections and doing other funny business.

I mostly agree with you. But, don't you already need to wait for <meta
name=Referrer> so that you know which Referer header to send in your
HTTP requests for prefetches that result from HTTP LINK? That is,
doesn't <meta> Referrer have the same problem?

> We should just make it clear that if you're using Link to initiate fetches,
> and you use CSP, then your CSP policy should be provided as an HTTP
> header... which is a security best practice anyway.

The way to make this clear would be to add a note to the HTML
specification, the CSP specification, and the resource hints
specification, and then also have developer tools warn when HTTP LINK
and CSP <meta> are used together.

> Will do, if you want to follow along:
> https://github.com/w3c/resource-hints/issues/16

Thanks!

Cheers,
Brian

Received on Friday, 14 November 2014 03:06:18 UTC