Re: [CSP] Dynamic CSP

On Wed 2015-02-04 03:28:48 -0500, Mike West wrote:
> Consider a single-page site that loads in content via XHR or `fetch()`.
> Currently, setting a policy is only possible if it includes _every_
> resource that might be loaded by the application in any of its many states.
> That is, you'd need to whitelist all the admin resources, even though 99%
> of the users aren't ever going to touch the admin tools.

Arguably, this is just bad web application design.  Thoughtful URL
selection and generation in a web application allows users and
administrators to link to specific application contexts, facilitates
problem reports and debugging, *and* permits the use of more
narrowly-tailored page-level policies like CSP.

That is: if is the main application, then
just put the admin interface at and
serve a distinct CSP at each location.

There may be other good arguments for dynamic CSP, but bending CSP in
potentially dangerous ways specifically to facilitate the
already-problematic "one URL for the entire webapp" model seems like a
bad tradeoff.


Received on Wednesday, 4 February 2015 15:28:43 UTC