W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

RE: [webappsec] Call for Consensus: Stop work on Content Security Policy 1.0, transition to WG Note

From: Sean Snider <ssnider@yahoo-inc.com>
Date: Wed, 22 Oct 2014 21:09:36 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <594AED27D7A9BD4F93EDD2715E205A2041A37B7B@GQ1-MB04-02.y.corp.yahoo.com>
+1 for me as well, however I do have a question. . . 

I've only mainly been following silently as I haven't had anything to bring up. . .
But now that CSP 2.0 is advancing towards candidate recommendation, I have a question
about the "referrer" directive.

I'm trying to understand the valid use-case for having "referrer" set to "none",
rather at least sending origin (scheme + host).

I can certainly agree with not necessarily allowing a query-string to be seen,
and also the port number.  

While the path, and host "could" have sensitive data. . . that's certainly
not the case normally.  

Say you have a host/origin like goodguys.org, which has a URL for an HTML response,
which is expected to be embedded in an IFRAME at some-level.

goodguys.org would might have their own CSP policy which says who frame-ancestors
can be.  But on the other hand, they might just allow "*" since they expect said
HTML to be embedded in an IFRAME by "someone", and that "someone" is effectively
anyone.  In fact it may not be plausible for them to truly white-list, and instead
they generally just look at how they have been embedded, and "who" the parent is, 
so that they can monitor for any nastiness. . . 

But then the top-level browsing context is set to evil.org, and evil.org
has a CSP policy which says "referrer" = "none";

In that case am I correct in assuming that goodguys.org cannot know who
the parent caller/embedding entity is at all? 

goodguys.org can write script to check to see at what level their window has
been embedded.  But they cannot read the URL of the parent, and only document.referrer / 
HTTP referrer of the request tells you that. . . how would goodguys.org protect
that resources/URL from "bad parents" if it cannot always specify a white-list of
frame-ancestors?  Are we saying they can't . . ?  I suppose goodguys.org could
REQUIRE a referrer be set to something in their server-side processing, but
that seems tricky. . . 

Thoughts?

Thanks
Sean Snider
Yahoo!

-----Original Message-----
From: Giorgio Maone [mailto:g.maone@informaction.com] 
Sent: Tuesday, October 21, 2014 12:06 AM
To: Brad Hill; public-webappsec@w3.org
Subject: Re: [webappsec] Call for Consensus: Stop work on Content Security Policy 1.0, transition to WG Note

+1
--
Giorgio Maone

On 21/10/2014 01:13, Brad Hill wrote:
> WebAppSec members,
>
>  We are on the verge of advancing Content Security Policy Level 2 to 
> Candidate Recommendation, at which point it will be at the same 
> maturity level as CSP 1.0.
>
>  Whereas:
>
> 1) the incompatible differences are small and implementer intent seems 
> to be to apply Level 2 behavior exclusively going forward...
>
> 2) we already lack for resources in test suite development and it is 
> unlikely we will build distinct 1.0 and Level 2 test suites as would 
> be necessary to advance both reports, or to complete the 1.0 test 
> suite before 1.0-specific behaviors become deprecated by user 
> agents...
>
> I believe that we should formally abandon the intent to further 
> advance 1.0 and transition its status to "Working Group Note"
> (http://www.w3.org/2014/Process-20140801/#Note) upon advancement of 
> Level 2 to CR.  Whereafter we would concentrate our efforts on 
> advancing, evangelizing and testing CSP Level 2 towards full 
> Recommendation status.
>
> This Call for Consensus will conclude during our Monday session at 
> TPAC, October 27th.
>
> Comments welcome, positive feedback encouraged, absence of comments 
> will be considered assent.
>
> thank you,
>
> Brad Hill
>


Received on Thursday, 23 October 2014 20:48:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC