Re: Proposal: A pinning mechanism for CSP? from Daniel Veditz on 2015-02-01 (public-webappsec@w3.org from February 2015)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Sun, 1 Feb 2015 11:55:35 -0800
To: Mike West <mkwst@google.com>
Cc: Deian Stefan <deian@cs.stanford.edu>, yan zhu <yan@mit.edu>, Yan Zhu <yzhu@yahoo-inc.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Frederik Braun <fbraun@mozilla.com>, Jim Manico <jim.manico@owasp.org>
Message-ID: <CADYDTCCa+q=qQnHXCTsKmqhYnwub_W+tcJSsscNWS=GtkehoPA@mail.gmail.com>

I prefer #2a and #2 would be OK as an interim. I like the consistency of #1
but worry it will be too inflexible for complex sites; sites can emulate
that effect by adding another site-wide CSP header as traffic goes through
their load-balancer or similar front-end server.

I don't like the way #3 puts the override power in the hands of the
possibly-injected content. #3a solves that problem but in the end is
equivalent to a wordier #2a.

-Dan Veditz

On Fri, Jan 30, 2015 at 6:06 AM, Mike West <mkwst@google.com> wrote:

>
> On Jan 30, 2015 12:56 PM, "Mike West" <mkwst@google.com> wrote:
> > For simplicity's sake, I'd vote for #2, with the option of moving to #3
> in the future. That 'no-override' model leaves the majority of the power
> with the _pin_ and not the _page_, which seems like the right tradeoff.
>
> I confused myself, apologies. I vote for #2 with the option of moving to
> #2a in the future. Not #3.
>
> -mike
>

Received on Sunday, 1 February 2015 19:56:02 UTC