W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: JSON representation of CSP policies

From: Jonathan Kingston <jonathan@jooped.com>
Date: Sat, 15 Aug 2015 02:25:30 +0000
Message-ID: <CAKrjaaXhMkRu5wzWrwUPLjFgMSUd6FLL5TY3vmyfEYX5=WzQYg@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>

I have also submitted a proposal for Ember to start using this for their
applications and addons which would give an implementation:

I'm not sure if browsers would initially have to do anything with this
proposal at all (However I have ideas where it could be utilised
certainly). However it would be great if we could agree on an external
representation mostly so each framework ecosystem doesn't go implementing
their own.

My underlying goal is that most of the implementation of the Ember checking
and the merging would be implemented in a stand alone package that any
library could consume.

On Sat, Aug 15, 2015 at 12:26 AM Brad Hill <hillbrad@gmail.com> wrote:

> I like this idea a lot.
> On Fri, Aug 14, 2015 at 3:22 PM Jonathan Kingston <jonathan@jooped.com>
> wrote:
>> Hi WebAppSec,
>> I have been thinking recently about how a subresource/external library
>> could declare what their policy was.
>> My current thinking is that this would be best served by a JSON
>> representation of CSP policies which would aid the publisher in being able
>> to merge several policies together without having to do a full audit of a
>> third party code.
>> The developer could simply merge in the new policy whilst still remaining
>> with the most stringent policy possible. Currently this step is manual and
>> I hope that this would allow it to become much more automated.
>> Here is my super draft proposal:
>> https://gist.github.com/jonathanKingston/5699b440f608960dc089
>> Kind regards
>> Jonathan
Received on Saturday, 15 August 2015 02:26:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC