W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [CSP] Dynamic CSP

From: Mike West <mkwst@google.com>
Date: Wed, 4 Feb 2015 16:50:06 +0100
Message-ID: <CAKXHy=fpH1POsB2_wthL+fRe+bjh4_cnqjyW8U1+WuJUgQzbbA@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Crispin Cowan <crispin@microsoft.com>, Yoav Weiss <yoav@yoav.ws>, Deian Stefan <deian@cs.stanford.edu>, Joel Weinberger <jww@chromium.org>, Boris Chen <boris@tcell.io>, Dmitry Polyakov <dpolyakov@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Feb 4, 2015 at 4:28 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net>

> There may be other good arguments for dynamic CSP, but bending CSP in
> potentially dangerous ways specifically to facilitate the
> already-problematic "one URL for the entire webapp" model seems like a
> bad tradeoff.

I don't think "one URL for the whole app" is what we're talking about.
Consider https://github.com/w3c/webappsec. Clicking on `specs/` in the
folder list "navigates" to that directory:
https://github.com/w3c/webappsec/tree/master/specs. The URL is altered via
`pushState()`, and the new data is loaded via XHR. Since the execution
context remains the same, the CSP remains the same as well.

That model isn't at all uncommon. Navigating from folder to folder probably
isn't problematic, but there's no reason the same couldn't be done between
more dissimilar sections of an app.


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 4 February 2015 15:50:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC