W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [CSP] <meta> clarifications

From: Mike West <mkwst@google.com>
Date: Thu, 15 Jan 2015 15:05:59 +0100
Message-ID: <CAKXHy=ed9pmoYZ77dePbrrb+tgduv2SCV6zUTXp5eENVthGePg@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sun, Nov 9, 2014 at 11:48 PM, Brian Smith <brian@briansmith.org> wrote:

> The current draft says "Authors are strongly encouraged to place the
> meta element as early in the document as possible to reduce the risk
> of content injection before a protective policy can be read and
> enforced."
>
> I think this is reasonable. But, I think it would be better to replace
> "to reduce the risk of content injection before a protective policy
> can be read and enforced" with the more general statement "because
> policies in meta elements are not applied to content that precedes
> them". Also, I think some illustrative examples will help people
> understand what this means. I provide some examples below.
>
> Also, I think that the specification should say something like "The
> user agent SHOULD report a warning message in the developer console
> when a <meta> CSP policy follows an element that would have been
> restricted if the <meta> element had preceded it."
>
> Also, the current draft says "the meta element" but I think it should
> instead acknowledge the possibility of multiple "meta elements" and
> mention that all of the meta elements are combined together with the
> rest of the policies from the HTTP headers.
>
> Also, this section has a note that says "The general mechanism for
> determining the effect of enforcing multiple policies is detailed in
> §3.5 Enforcing multiple policies." But, section 3.5 says "This section
> is not normative." The reference should be changed to reference the
> normative text for combining policies.
>

I've (belatedly) addressed these points in
https://github.com/w3c/webappsec/commit/3e856006a34d9f75d28d696c510f055084567c29
.

I haven't added the suggestion regarding a warning message for
already-loaded content; it's not at all clear how we'd implement such a
change, and doesn't really match at least one use case (locking down an
application after it "boots").

WDYT?

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 15 January 2015 14:06:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC