W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: Proposal: A pinning mechanism for CSP?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 17 Apr 2015 23:00:41 -0700
Message-ID: <CADYDTCA2KPQ+_92HQ1orhomZ7goAvu0+ruXHETNrvBaGrsZcpw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brian Smith <brian@briansmith.org>, Alex Russell <slightlyoff@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>
On Thu, Feb 12, 2015 at 12:04 AM, Mike West <mkwst@google.com> wrote:

> I'd justify crossing the origin boundary here by noting that
> subdomains can act as their parent domains via `document.domain`,


​Only if the parent domain explicitly opts in by setting document.domain
itself--this is the reason for the mysterious "document.domain =
document.domain;" code in some old sites. Any site still doing that is
opening itself up to abuse by any of its subdomains. document.domain is a
botch we've regretted for at least 15 years[*]; we should kill it, not
emulate it.

​[*] https://bugzilla.mozilla.org/show_bug.cgi?id=149943#c4​

cookies cross the origin/host boundary with abandon.


​Another 90s decision we suffer with to this day.​

Given that we
> ​ ​
> wish to protect against abuse of both, allowing explicitly pinned
> ​ ​
> policies to take effect over that boundary
> ​ ​
> seems reasonable.
>

​If these are the only reasons to propagate a CSP-pin to subdomains I'd be
more comfortable if we invented mechanisms to address those concerns that
didn't require includeSubdomains. For example, we could have a
no-document-domain directive in the pinned CSP for the parent site, and a
host-only-cookies​
​ directive (essentially allow the parent to declare itself a "public
suffix").
​


> >>
> ​Publishing a ​
> WD to widen the net seems like a good way of determining
> >>
> ​whether or not this ​
> kind of thing has legs.
> >
> > I don't know how the working group works, exactly. My expectation is
> > that the "determining whether or not this kind of thing has legs" step
> > should occur before adoption of the thing as a work item.
>

​Within the working group we decided a feature seemed likely to provide a
solution to a real problem before accepting it as a work item. "Widening
the net" means the notice of people outside the circle of this small
working group, from whence we might get additional feedback that changes
our opinion on the usefulness of the spec or helps give it a better shape.

-
​Dan Veditz​
Received on Saturday, 18 April 2015 06:01:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC