W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [CSP] Dynamic CSP

From: Mike West <mkwst@google.com>
Date: Thu, 5 Feb 2015 08:34:07 +0100
Message-ID: <CAKXHy=cRgSZD05jx_rGURSUBLLq4-Dzr6Z4W+U_aTp6jx0dkHQ@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Crispin Cowan <crispin@microsoft.com>, Yoav Weiss <yoav@yoav.ws>, Deian Stefan <deian@cs.stanford.edu>, Joel Weinberger <jww@chromium.org>, Boris Chen <boris@tcell.io>, Dmitry Polyakov <dpolyakov@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Feb 4, 2015 at 6:18 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net>

> Still, the way for webapp design to achieve these goals with systems in
> place today is to deliberately change the execution context when the app
> needs to alter CSP.

Maybe that's the right answer. My understanding is that there are
substantial performance benefits associated with avoiding full-page
navigations, and that the recent movement towards `pushState()`-driven apps
is explicitly encouraged on those grounds.

> Is it worth injecting potential vulnerabilities in CSP (allowing the
> page to change its own policy) just to enable retaining the single
> execution state?

If we ensure that the footgun is opt-in (either by making it a separate
header, or by having some flag on requests, or whatever), then it might be
worth giving developers the option. I suspect at the moment that some sites
are either not using CSP, or are using a truly broad (and thereby not
particularly effective) policy in order to achieve the performance wins
noted above.

On Thu, Feb 5, 2015 at 12:07 AM, Deian Stefan <deian@cs.stanford.edu> wrote:

> There is the safe use case of only allowing code to further restrict the
> CSP policy. This is useful if you want to effectively "drop privileges."

Given our existing combination logic, this is possible today just by
injecting additional `<meta>` elements containing policy.

Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 5 February 2015 07:34:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC