W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

[CSP2] Re: CR: Content Security Policy Level 2

From: timeless <timeless@gmail.com>
Date: Tue, 25 Aug 2015 08:43:58 -0400
Message-ID: <CACsW8eG9AQLanUW9S=LKV+80F2pzQzTX0pd2Qjjyh7vMMm8wLw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Sorry for the delay...

CSP2 [1]

> Authors are strongly encouraged to place meta elements as early in the document as possible,
> because policies in meta elements are not applied to content which preceeds [sp] them.
> In particular, note that resources fetched or prefetched using the Link HTTP response header field,
> and resources fetched or prefetched using link and script elements which preceed [sp] a meta - delivered policy will not be blocked.

precede(s)

> Many common scenarios for permissioned [sp] embedding (e.g. embeddable payment, sharing or social apps)

permitted ?

> involve potentially many hundreds or thousands of valid source - list expressions,
> but it is strongly recommended against accommodating such scenarios with a static frame - ancestors directive listing multiple values.


> To fulfil [sp] this requirement user agents MUST wait until all headers have been processed before beginning to prefetch resources.

> Note: This section of the specification should not be interpreted as limiting user agents' ability to apply restrictions to violation reports in order to limit data leakage above and beyond what these algorithms specify.

Normally `'` is only used for raw text, and you use fancy quotes for prose.

as in:
> This restriction reduces the granularity of a document’s policy when redirects are in play,
> which isn’t wonderful, but given that we certainly don’t want to allow brute - forcing paths after redirects,
> it seems a reasonable compromise.

> 3.5 Enforcing multiple policies.

section titles should not include punctuation.

> The following changes are backwards incompatible with the majority of user agent’s implementations of CSP 1:
> Note: Paths are technically new in CSP2,

`CSP 1` v. `CSP2`, please consistently (don't) use a space between CSP
and the number.

> A protected resource’s ability to load Workers is now controlled via child-src rather than script-src.

this is the first reference to `Workers`, could it link to something?

> frame-ancestors controls the protected resource’s ability be embedded in other documents. It is meant to supplant the X-Frame-Options HTTP request header.

this is the first reference to `X-Frame-Options HTTP request header`,
could it reference [RFC7034] (or section 7.7.1)

> Each directives [sp] has a name and a value; a detailed grammar can be found in §4 Syntax and Algorithms.

directive

> The term callable refers to an object whose interface has one or more callers as defined in the Web IDL specification [WEBIDL].

While I object to the style, you generally stick `[FOO]` after the `.`
unless it's part of the prose.

no Oxford comma:
> JavaScript, as a Worker, Shared Worker or Service Worker

Oxford comma:
> If the origin of uri is a globally unique identifier (for example, uri has a scheme of data, blob, or filesystem), then abort these steps, and return the ASCII serialization of uri’s scheme.

Please pick a style

For the table in 3.6. Policy applicability:

no periods:
> The policy delivered with the resource
> Policy delivered with the resource

period:
> The policy delivered with the resource, or policy of the creating context if created from a globally unique identifier.

no period:
> The policy delivered with the resource, or policy of the creating context if created from a globally unique identifier

This is a pretty complicated wording:
> The embedded resource, however, is controlled by the policy delivered with the resource, or the policy of the embedding resource if the embedded resource is a globally unique identifier (or a srcdoc frame).


Could it be:

Unless the embedded resource is a globally unique identifier (or a
srcdoc frame), the embedded resource is controlled by the policy
delivered with the resource.

??

> If the source expression a consists of a single U+002A ASTERISK character (*), and url’s scheme is not one of blob, data, filesystem, then return does match.

it feels like this should be pluggable. also what do you do about
internal browser protocols?

> 5. If the source expression does not have a scheme, return does not match if any of the following are true:
> 1. the scheme of the protected resource’s URL is a case insensitive match for HTTP, and url-scheme is not a case insensitive match for either HTTP or HTTPS

missing period/comma

> 2. the scheme of the protected resource’s URL is not a case insensitive match for HTTP, and url-scheme is not a case insensitive match for the scheme of the protected resource’s URL.


> 10. If the source expression does contain a port-part, then return does not match if both of the following are true:

> 1. port-part does not contain an U+002A ASTERISK character (*)
> 2. port-part does not represent the same number as url-port

missing periods/comma

> Note: Query strings have no impact on matching: the source expression example.com/file matches all of https://example.com/file, https://example.com/file?key=value, https://example.com/file?key=notvalue, and https://example.com/file?notkey=notvalue.

all of => each of

> The digest of element’s content for is the result of applying an algorithm to the element’s content.

could `an algorithm` be replaced by `a digest algorithm`?

> * SHA-256 if the hash-algo component of hash is an ASCII case-insensitive match for the string "sha256"
> * SHA-384 if the hash-algo component of hash is an ASCII case-insensitive match for the string "sha384"
> * SHA-512 if the hash-algo component of hash is an ASCII case-insensitive match for the string "sha512"

missing period(s)?

> 5.2. srcdoc IFrames

[2] has "4.8.6 The iframe element"

please don't write `IFrame`

> Step 4 of the algorithm defined in HTML5 to obtain a document’s base URL MUST be changed to:

What happens if the algorithm's steps are renumbered? Is there a
contract to prevent this from happening? -- It might be useful to at
least quote the old text...


> * Pinging an endpoint during hyperlink auditing.
> * Sending a beacon via the sendBeacon() method [BEACON]

missing period.

> EventSource maintains an open HTTP connection to a server in order to receive push notifications, WebSockets open a bidirectional communication channel between your browser and a server, and XMLHttpRequest makes arbitrary HTTP requests on your behalf.

`your` isn't applicable here-- change to `a`/`the user's`

> The connect-src directive allows you to ensure that these sorts of connections are only opened to origins you trust.

Here `you` is clearly `you [the developer]` and not `you [the user of
the user agent]`

> All of the following will fail with the preceding directive in place:

I favor `each` over `all`


> 2. Take one of the following actions:

> 1. Act as if it received an empty HTTP 200 response.
> 2. Redirect the user to a friendly error page which provides the option of opening the blocked page in a new top-level browsing context.

I'd favor bullets / letters instead of numbers, since it isn't really
a "do this sequence" sequence...

> Steps 3.2.2 and 3.2.3 ensure that the blocked frame appears to be a normal cross-origin document’s load.

document's => document ?

> The plugin is embedded into the protected resource via an applet element, and resource’s media type is not an ASCII case-insensitive match for application/x-java-applet.

what about x-java-vm and x-java-bean ?

> Note: Wildcards are not accepted in the plugin-types directive. Only the resource types explicitly listed in the directive will be allowed.

How is matching handled?

consider this mime type:
application/x-java-applet;version=1.4.2

is that matched by:

Content-Security-Policy: plugin-types application/pdf application/x-java-applet

> Currently, those include:

> * allow-forms
> * allow-pointer-lock
> * allow-popups
> * allow-same-origin
> * allow-scripts, and
> * allow-top-navigation

you only have one comma, either remove it, or add it to the preceding
bulletted items...

> 7.15.2. Hash usage for script elements

there should be an example with two hashes allowing two scripts.

> The style-src directive restricts which styles the user may applies to the protected resource.

`user may` doesn't make sense; you might mean `user agent`, in which
case you'd want `apply`.

> Requesting an external stylesheet when processing a Link HTTP response header field [RFC5988].

normally you'd put [FOO] after the period here. (I don't like that
style, but you generally use it.)





[1] http://www.w3.org/TR/2015/CR-CSP2-20150721/
[2] https://html.spec.whatwg.org/multipage/embedded-content.html#the-iframe-element
Received on Tuesday, 25 August 2015 12:44:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC