W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: [CSP2] Re: CR: Content Security Policy Level 2

From: Brad Hill <hillbrad@gmail.com>
Date: Fri, 28 Aug 2015 01:07:00 +0000
Message-ID: <CAEeYn8iEs7feb0-dubWRkjY7-fzPoZHOE1TBtx48s4CEOLds7Q@mail.gmail.com>
To: timeless <timeless@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
PR addressing much of this at:

https://github.com/w3c/webappsec/pull/462

Unaddressed issues from the review:

* Fancy quotes.  I live in fear of the question box for fancy quotes, so
not going to touch this one.
* Pluggable matching algorithm for unique identifier schemes
* Java mime-type matching (please, can the Java plugin just die already?)

On Tue, Aug 25, 2015 at 5:46 AM timeless <timeless@gmail.com> wrote:

> Sorry for the delay...
>
> CSP2 [1]
>
> > Authors are strongly encouraged to place meta elements as early in the
> document as possible,
> > because policies in meta elements are not applied to content which
> preceeds [sp] them.
> > In particular, note that resources fetched or prefetched using the Link
> HTTP response header field,
> > and resources fetched or prefetched using link and script elements which
> preceed [sp] a meta - delivered policy will not be blocked.
>
> precede(s)
>
> > Many common scenarios for permissioned [sp] embedding (e.g. embeddable
> payment, sharing or social apps)
>
> permitted ?
>
> > involve potentially many hundreds or thousands of valid source - list
> expressions,
> > but it is strongly recommended against accommodating such scenarios with
> a static frame - ancestors directive listing multiple values.
>
>
> > To fulfil [sp] this requirement user agents MUST wait until all headers
> have been processed before beginning to prefetch resources.
>
> > Note: This section of the specification should not be interpreted as
> limiting user agents' ability to apply restrictions to violation reports in
> order to limit data leakage above and beyond what these algorithms specify.
>
> Normally `'` is only used for raw text, and you use fancy quotes for prose.
>
> as in:
> > This restriction reduces the granularity of a document’s policy when
> redirects are in play,
> > which isn’t wonderful, but given that we certainly don’t want to allow
> brute - forcing paths after redirects,
> > it seems a reasonable compromise.
>
> > 3.5 Enforcing multiple policies.
>
> section titles should not include punctuation.
>
> > The following changes are backwards incompatible with the majority of
> user agent’s implementations of CSP 1:
> > Note: Paths are technically new in CSP2,
>
> `CSP 1` v. `CSP2`, please consistently (don't) use a space between CSP
> and the number.
>
> > A protected resource’s ability to load Workers is now controlled via
> child-src rather than script-src.
>
> this is the first reference to `Workers`, could it link to something?
>
> > frame-ancestors controls the protected resource’s ability be embedded in
> other documents. It is meant to supplant the X-Frame-Options HTTP request
> header.
>
> this is the first reference to `X-Frame-Options HTTP request header`,
> could it reference [RFC7034] (or section 7.7.1)
>
> > Each directives [sp] has a name and a value; a detailed grammar can be
> found in §4 Syntax and Algorithms.
>
> directive
>
> > The term callable refers to an object whose interface has one or more
> callers as defined in the Web IDL specification [WEBIDL].
>
> While I object to the style, you generally stick `[FOO]` after the `.`
> unless it's part of the prose.
>
> no Oxford comma:
> > JavaScript, as a Worker, Shared Worker or Service Worker
>
> Oxford comma:
> > If the origin of uri is a globally unique identifier (for example, uri
> has a scheme of data, blob, or filesystem), then abort these steps, and
> return the ASCII serialization of uri’s scheme.
>
> Please pick a style
>
> For the table in 3.6. Policy applicability:
>
> no periods:
> > The policy delivered with the resource
> > Policy delivered with the resource
>
> period:
> > The policy delivered with the resource, or policy of the creating
> context if created from a globally unique identifier.
>
> no period:
> > The policy delivered with the resource, or policy of the creating
> context if created from a globally unique identifier
>
> This is a pretty complicated wording:
> > The embedded resource, however, is controlled by the policy delivered
> with the resource, or the policy of the embedding resource if the embedded
> resource is a globally unique identifier (or a srcdoc frame).
>
>
> Could it be:
>
> Unless the embedded resource is a globally unique identifier (or a
> srcdoc frame), the embedded resource is controlled by the policy
> delivered with the resource.
>
> ??
>
> > If the source expression a consists of a single U+002A ASTERISK
> character (*), and url’s scheme is not one of blob, data, filesystem, then
> return does match.
>
> it feels like this should be pluggable. also what do you do about
> internal browser protocols?
>
> > 5. If the source expression does not have a scheme, return does not
> match if any of the following are true:
> > 1. the scheme of the protected resource’s URL is a case insensitive
> match for HTTP, and url-scheme is not a case insensitive match for either
> HTTP or HTTPS
>
> missing period/comma
>
> > 2. the scheme of the protected resource’s URL is not a case insensitive
> match for HTTP, and url-scheme is not a case insensitive match for the
> scheme of the protected resource’s URL.
>
>
> > 10. If the source expression does contain a port-part, then return does
> not match if both of the following are true:
>
> > 1. port-part does not contain an U+002A ASTERISK character (*)
> > 2. port-part does not represent the same number as url-port
>
> missing periods/comma
>
> > Note: Query strings have no impact on matching: the source expression
> example.com/file matches all of https://example.com/file,
> https://example.com/file?key=value, https://example.com/file?key=notvalue,
> and https://example.com/file?notkey=notvalue.
>
> all of => each of
>
> > The digest of element’s content for is the result of applying an
> algorithm to the element’s content.
>
> could `an algorithm` be replaced by `a digest algorithm`?
>
> > * SHA-256 if the hash-algo component of hash is an ASCII
> case-insensitive match for the string "sha256"
> > * SHA-384 if the hash-algo component of hash is an ASCII
> case-insensitive match for the string "sha384"
> > * SHA-512 if the hash-algo component of hash is an ASCII
> case-insensitive match for the string "sha512"
>
> missing period(s)?
>
> > 5.2. srcdoc IFrames
>
> [2] has "4.8.6 The iframe element"
>
> please don't write `IFrame`
>
> > Step 4 of the algorithm defined in HTML5 to obtain a document’s base URL
> MUST be changed to:
>
> What happens if the algorithm's steps are renumbered? Is there a
> contract to prevent this from happening? -- It might be useful to at
> least quote the old text...
>
>
> > * Pinging an endpoint during hyperlink auditing.
> > * Sending a beacon via the sendBeacon() method [BEACON]
>
> missing period.
>
> > EventSource maintains an open HTTP connection to a server in order to
> receive push notifications, WebSockets open a bidirectional communication
> channel between your browser and a server, and XMLHttpRequest makes
> arbitrary HTTP requests on your behalf.
>
> `your` isn't applicable here-- change to `a`/`the user's`
>
> > The connect-src directive allows you to ensure that these sorts of
> connections are only opened to origins you trust.
>
> Here `you` is clearly `you [the developer]` and not `you [the user of
> the user agent]`
>
> > All of the following will fail with the preceding directive in place:
>
> I favor `each` over `all`
>
>
> > 2. Take one of the following actions:
>
> > 1. Act as if it received an empty HTTP 200 response.
> > 2. Redirect the user to a friendly error page which provides the option
> of opening the blocked page in a new top-level browsing context.
>
> I'd favor bullets / letters instead of numbers, since it isn't really
> a "do this sequence" sequence...
>
> > Steps 3.2.2 and 3.2.3 ensure that the blocked frame appears to be a
> normal cross-origin document’s load.
>
> document's => document ?
>
> > The plugin is embedded into the protected resource via an applet
> element, and resource’s media type is not an ASCII case-insensitive match
> for application/x-java-applet.
>
> what about x-java-vm and x-java-bean ?
>
> > Note: Wildcards are not accepted in the plugin-types directive. Only the
> resource types explicitly listed in the directive will be allowed.
>
> How is matching handled?
>
> consider this mime type:
> application/x-java-applet;version=1.4.2
>
> is that matched by:
>
> Content-Security-Policy: plugin-types application/pdf
> application/x-java-applet
>
> > Currently, those include:
>
> > * allow-forms
> > * allow-pointer-lock
> > * allow-popups
> > * allow-same-origin
> > * allow-scripts, and
> > * allow-top-navigation
>
> you only have one comma, either remove it, or add it to the preceding
> bulletted items...
>
> > 7.15.2. Hash usage for script elements
>
> there should be an example with two hashes allowing two scripts.
>
> > The style-src directive restricts which styles the user may applies to
> the protected resource.
>
> `user may` doesn't make sense; you might mean `user agent`, in which
> case you'd want `apply`.
>
> > Requesting an external stylesheet when processing a Link HTTP response
> header field [RFC5988].
>
> normally you'd put [FOO] after the period here. (I don't like that
> style, but you generally use it.)
>
>
>
>
>
> [1] http://www.w3.org/TR/2015/CR-CSP2-20150721/
> [2]
> https://html.spec.whatwg.org/multipage/embedded-content.html#the-iframe-element
>
>
Received on Friday, 28 August 2015 01:07:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC