W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Proposal: A pinning mechanism for CSP?

From: Eric Mill <eric@konklone.com>
Date: Sat, 7 Feb 2015 10:38:29 -0500
Message-ID: <CANBOYLVmNSDKVGyGiRd_WpeXTwDW9Njp1zDnqyD3nmFVkkpw2w@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, yan zhu <yan@mit.edu>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
On Sat, Feb 7, 2015 at 12:27 AM, Mike West <mkwst@google.com> wrote:

> On Fri, Feb 6, 2015 at 7:14 PM, Brian Smith <brian@briansmith.org> wrote:
>> Isn't this better done as a feature of web servers than a feature of
>> web browsers?
> It's certainly something that could be done as a feature of web servers.
> However, it's really easy to miss pages. For instance, I just checked
> https://mikewest.org/404, a page that _really should_ have a CSP, as it's
> terribly high-value, and the guy responsible for it knows a thing or two
> about CSP.
> I know it's possible to configure nginx to send proper headers with error
> pages, but I didn't do it because I never thought about it until just this
> moment. I suspect that other (even _more_ valuable sites) are in similar
> situations.
> Belts and suspenders, right?

The thought this brought to mind was that it'd be best done at the server
_proxy_ level, a bit like Google's page_speed module. For example, a
CloudFlare switch might use it to rewrote the page to use static resource
links before caching it at their edge nodes.

That wouldn't cover dynamic references, like XHRs triggered from JavaScript
-- but that's fine, because HSTS _will_ cover those.

If I could point to an nginx module, Apache module, or IIS module that
could be turned on to mostly reliably rewrite mixed content references --
especially if it could be given a whitelist of domain(s) to operate on,
like we're talking about for this CSP header -- that would ease the hell
out of some large migrations.

As importantly: it would also work for all clients, no matter how old. None
of the HSTS or CSP extensions discussed so far will matter to a large
website until client support is extremely wide.

-- Eric

> Mike West <mkwst@google.com>, @mikewest
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

konklone.com | @konklone <https://twitter.com/konklone>
Received on Saturday, 7 February 2015 15:39:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC