W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Signed CSP

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sun, 15 Feb 2015 18:10:29 -0800
Message-ID: <CALx_OUCTzB7NbEMULinXdj4B0Z+B3WX63nkFe6_X8aS6C_q5LQ@mail.gmail.com>
To: Scott Arciszewski <kobrasrealm@gmail.com>
Cc: Crispin Cowan <crispin@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
So your model is to have a manually curated whitelist of trusted keys;
and then use a browser that refuses to load any Internet content at
all unless it is signed with one of these (hopefully offline) keys?

The "can't navigate anywhere else" seems like a prerequisite, because
otherwise, what stops pwn3d.com from just a 30x redirect to evil.com,
and letting evil.com do any fingerprinting / decloaking it wants? (In
fact, for optimal safety, you'd probably want a whitelist of keys
*and* of navigable origins).

This seems like an incredibly narrow / impractical use case, with a
whole lot of new browser logic to tackle on, and even then, CSP is
probably not the right place to solve it. You'd probably just want a
signature attached as an extra HTTP header or so, with a browser
add-on plugging into the HTTP stack and taking care of the validation
steps.

/mz
Received on Monday, 16 February 2015 02:11:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC