W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [CSP] Dynamic CSP

From: Deian Stefan <deian@cs.stanford.edu>
Date: Wed, 04 Feb 2015 15:07:18 -0800
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mike West <mkwst@google.com>
Cc: Crispin Cowan <crispin@microsoft.com>, Yoav Weiss <yoav@yoav.ws>, Joel Weinberger <jww@chromium.org>, Boris Chen <boris@tcell.io>, Dmitry Polyakov <dpolyakov@google.com>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
Message-ID: <87twz1qnrt.fsf@cs.stanford.edu>
Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
> Still, the way for webapp design to achieve these goals with systems in
> place today is to deliberately change the execution context when the app
> needs to alter CSP.
>
> Is it worth injecting potential vulnerabilities in CSP (allowing the
> page to change its own policy) just to enable retaining the single
> execution state?

There is the safe use case of only allowing code to further restrict the
CSP policy. This is useful if you want to effectively "drop privileges."

Deian
Received on Wednesday, 4 February 2015 23:07:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC