- From: Brad Hill <hillbrad@gmail.com>
- Date: Fri, 28 Aug 2015 01:07:00 +0000
- To: timeless <timeless@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEeYn8iEs7feb0-dubWRkjY7-fzPoZHOE1TBtx48s4CEOLds7Q@mail.gmail.com>
PR addressing much of this at: https://github.com/w3c/webappsec/pull/462 Unaddressed issues from the review: * Fancy quotes. I live in fear of the question box for fancy quotes, so not going to touch this one. * Pluggable matching algorithm for unique identifier schemes * Java mime-type matching (please, can the Java plugin just die already?) On Tue, Aug 25, 2015 at 5:46 AM timeless <timeless@gmail.com> wrote: > Sorry for the delay... > > CSP2 [1] > > > Authors are strongly encouraged to place meta elements as early in the > document as possible, > > because policies in meta elements are not applied to content which > preceeds [sp] them. > > In particular, note that resources fetched or prefetched using the Link > HTTP response header field, > > and resources fetched or prefetched using link and script elements which > preceed [sp] a meta - delivered policy will not be blocked. > > precede(s) > > > Many common scenarios for permissioned [sp] embedding (e.g. embeddable > payment, sharing or social apps) > > permitted ? > > > involve potentially many hundreds or thousands of valid source - list > expressions, > > but it is strongly recommended against accommodating such scenarios with > a static frame - ancestors directive listing multiple values. > > > > To fulfil [sp] this requirement user agents MUST wait until all headers > have been processed before beginning to prefetch resources. > > > Note: This section of the specification should not be interpreted as > limiting user agents' ability to apply restrictions to violation reports in > order to limit data leakage above and beyond what these algorithms specify. > > Normally `'` is only used for raw text, and you use fancy quotes for prose. > > as in: > > This restriction reduces the granularity of a document’s policy when > redirects are in play, > > which isn’t wonderful, but given that we certainly don’t want to allow > brute - forcing paths after redirects, > > it seems a reasonable compromise. > > > 3.5 Enforcing multiple policies. > > section titles should not include punctuation. > > > The following changes are backwards incompatible with the majority of > user agent’s implementations of CSP 1: > > Note: Paths are technically new in CSP2, > > `CSP 1` v. `CSP2`, please consistently (don't) use a space between CSP > and the number. > > > A protected resource’s ability to load Workers is now controlled via > child-src rather than script-src. > > this is the first reference to `Workers`, could it link to something? > > > frame-ancestors controls the protected resource’s ability be embedded in > other documents. It is meant to supplant the X-Frame-Options HTTP request > header. > > this is the first reference to `X-Frame-Options HTTP request header`, > could it reference [RFC7034] (or section 7.7.1) > > > Each directives [sp] has a name and a value; a detailed grammar can be > found in §4 Syntax and Algorithms. > > directive > > > The term callable refers to an object whose interface has one or more > callers as defined in the Web IDL specification [WEBIDL]. > > While I object to the style, you generally stick `[FOO]` after the `.` > unless it's part of the prose. > > no Oxford comma: > > JavaScript, as a Worker, Shared Worker or Service Worker > > Oxford comma: > > If the origin of uri is a globally unique identifier (for example, uri > has a scheme of data, blob, or filesystem), then abort these steps, and > return the ASCII serialization of uri’s scheme. > > Please pick a style > > For the table in 3.6. Policy applicability: > > no periods: > > The policy delivered with the resource > > Policy delivered with the resource > > period: > > The policy delivered with the resource, or policy of the creating > context if created from a globally unique identifier. > > no period: > > The policy delivered with the resource, or policy of the creating > context if created from a globally unique identifier > > This is a pretty complicated wording: > > The embedded resource, however, is controlled by the policy delivered > with the resource, or the policy of the embedding resource if the embedded > resource is a globally unique identifier (or a srcdoc frame). > > > Could it be: > > Unless the embedded resource is a globally unique identifier (or a > srcdoc frame), the embedded resource is controlled by the policy > delivered with the resource. > > ?? > > > If the source expression a consists of a single U+002A ASTERISK > character (*), and url’s scheme is not one of blob, data, filesystem, then > return does match. > > it feels like this should be pluggable. also what do you do about > internal browser protocols? > > > 5. If the source expression does not have a scheme, return does not > match if any of the following are true: > > 1. the scheme of the protected resource’s URL is a case insensitive > match for HTTP, and url-scheme is not a case insensitive match for either > HTTP or HTTPS > > missing period/comma > > > 2. the scheme of the protected resource’s URL is not a case insensitive > match for HTTP, and url-scheme is not a case insensitive match for the > scheme of the protected resource’s URL. > > > > 10. If the source expression does contain a port-part, then return does > not match if both of the following are true: > > > 1. port-part does not contain an U+002A ASTERISK character (*) > > 2. port-part does not represent the same number as url-port > > missing periods/comma > > > Note: Query strings have no impact on matching: the source expression > example.com/file matches all of https://example.com/file, > https://example.com/file?key=value, https://example.com/file?key=notvalue, > and https://example.com/file?notkey=notvalue. > > all of => each of > > > The digest of element’s content for is the result of applying an > algorithm to the element’s content. > > could `an algorithm` be replaced by `a digest algorithm`? > > > * SHA-256 if the hash-algo component of hash is an ASCII > case-insensitive match for the string "sha256" > > * SHA-384 if the hash-algo component of hash is an ASCII > case-insensitive match for the string "sha384" > > * SHA-512 if the hash-algo component of hash is an ASCII > case-insensitive match for the string "sha512" > > missing period(s)? > > > 5.2. srcdoc IFrames > > [2] has "4.8.6 The iframe element" > > please don't write `IFrame` > > > Step 4 of the algorithm defined in HTML5 to obtain a document’s base URL > MUST be changed to: > > What happens if the algorithm's steps are renumbered? Is there a > contract to prevent this from happening? -- It might be useful to at > least quote the old text... > > > > * Pinging an endpoint during hyperlink auditing. > > * Sending a beacon via the sendBeacon() method [BEACON] > > missing period. > > > EventSource maintains an open HTTP connection to a server in order to > receive push notifications, WebSockets open a bidirectional communication > channel between your browser and a server, and XMLHttpRequest makes > arbitrary HTTP requests on your behalf. > > `your` isn't applicable here-- change to `a`/`the user's` > > > The connect-src directive allows you to ensure that these sorts of > connections are only opened to origins you trust. > > Here `you` is clearly `you [the developer]` and not `you [the user of > the user agent]` > > > All of the following will fail with the preceding directive in place: > > I favor `each` over `all` > > > > 2. Take one of the following actions: > > > 1. Act as if it received an empty HTTP 200 response. > > 2. Redirect the user to a friendly error page which provides the option > of opening the blocked page in a new top-level browsing context. > > I'd favor bullets / letters instead of numbers, since it isn't really > a "do this sequence" sequence... > > > Steps 3.2.2 and 3.2.3 ensure that the blocked frame appears to be a > normal cross-origin document’s load. > > document's => document ? > > > The plugin is embedded into the protected resource via an applet > element, and resource’s media type is not an ASCII case-insensitive match > for application/x-java-applet. > > what about x-java-vm and x-java-bean ? > > > Note: Wildcards are not accepted in the plugin-types directive. Only the > resource types explicitly listed in the directive will be allowed. > > How is matching handled? > > consider this mime type: > application/x-java-applet;version=1.4.2 > > is that matched by: > > Content-Security-Policy: plugin-types application/pdf > application/x-java-applet > > > Currently, those include: > > > * allow-forms > > * allow-pointer-lock > > * allow-popups > > * allow-same-origin > > * allow-scripts, and > > * allow-top-navigation > > you only have one comma, either remove it, or add it to the preceding > bulletted items... > > > 7.15.2. Hash usage for script elements > > there should be an example with two hashes allowing two scripts. > > > The style-src directive restricts which styles the user may applies to > the protected resource. > > `user may` doesn't make sense; you might mean `user agent`, in which > case you'd want `apply`. > > > Requesting an external stylesheet when processing a Link HTTP response > header field [RFC5988]. > > normally you'd put [FOO] after the period here. (I don't like that > style, but you generally use it.) > > > > > > [1] http://www.w3.org/TR/2015/CR-CSP2-20150721/ > [2] > https://html.spec.whatwg.org/multipage/embedded-content.html#the-iframe-element > >
Received on Friday, 28 August 2015 01:07:39 UTC