- From: Sean Snider <ssnider@yahoo-inc.com>
- Date: Wed, 22 Oct 2014 21:09:36 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
+1 for me as well, however I do have a question. . . I've only mainly been following silently as I haven't had anything to bring up. . . But now that CSP 2.0 is advancing towards candidate recommendation, I have a question about the "referrer" directive. I'm trying to understand the valid use-case for having "referrer" set to "none", rather at least sending origin (scheme + host). I can certainly agree with not necessarily allowing a query-string to be seen, and also the port number. While the path, and host "could" have sensitive data. . . that's certainly not the case normally. Say you have a host/origin like goodguys.org, which has a URL for an HTML response, which is expected to be embedded in an IFRAME at some-level. goodguys.org would might have their own CSP policy which says who frame-ancestors can be. But on the other hand, they might just allow "*" since they expect said HTML to be embedded in an IFRAME by "someone", and that "someone" is effectively anyone. In fact it may not be plausible for them to truly white-list, and instead they generally just look at how they have been embedded, and "who" the parent is, so that they can monitor for any nastiness. . . But then the top-level browsing context is set to evil.org, and evil.org has a CSP policy which says "referrer" = "none"; In that case am I correct in assuming that goodguys.org cannot know who the parent caller/embedding entity is at all? goodguys.org can write script to check to see at what level their window has been embedded. But they cannot read the URL of the parent, and only document.referrer / HTTP referrer of the request tells you that. . . how would goodguys.org protect that resources/URL from "bad parents" if it cannot always specify a white-list of frame-ancestors? Are we saying they can't . . ? I suppose goodguys.org could REQUIRE a referrer be set to something in their server-side processing, but that seems tricky. . . Thoughts? Thanks Sean Snider Yahoo! -----Original Message----- From: Giorgio Maone [mailto:g.maone@informaction.com] Sent: Tuesday, October 21, 2014 12:06 AM To: Brad Hill; public-webappsec@w3.org Subject: Re: [webappsec] Call for Consensus: Stop work on Content Security Policy 1.0, transition to WG Note +1 -- Giorgio Maone On 21/10/2014 01:13, Brad Hill wrote: > WebAppSec members, > > We are on the verge of advancing Content Security Policy Level 2 to > Candidate Recommendation, at which point it will be at the same > maturity level as CSP 1.0. > > Whereas: > > 1) the incompatible differences are small and implementer intent seems > to be to apply Level 2 behavior exclusively going forward... > > 2) we already lack for resources in test suite development and it is > unlikely we will build distinct 1.0 and Level 2 test suites as would > be necessary to advance both reports, or to complete the 1.0 test > suite before 1.0-specific behaviors become deprecated by user > agents... > > I believe that we should formally abandon the intent to further > advance 1.0 and transition its status to "Working Group Note" > (http://www.w3.org/2014/Process-20140801/#Note) upon advancement of > Level 2 to CR. Whereafter we would concentrate our efforts on > advancing, evangelizing and testing CSP Level 2 towards full > Recommendation status. > > This Call for Consensus will conclude during our Monday session at > TPAC, October 27th. > > Comments welcome, positive feedback encouraged, absence of comments > will be considered assent. > > thank you, > > Brad Hill >
Received on Thursday, 23 October 2014 20:48:11 UTC