W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [CSP] <meta> clarifications

From: Brian Smith <brian@briansmith.org>
Date: Sun, 18 Jan 2015 22:35:26 -0800
Message-ID: <CAFewVt4NORn1N5vO0nWwxnw3geXPdamuopMJcnLvkNHGZWH3-w@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike West <mkwst@google.com> wrote:
> Brian Smith <brian@briansmith.org> wrote:
> I've (belatedly) addressed these points in
> https://github.com/w3c/webappsec/commit/3e856006a34d9f75d28d696c510f055084567c29.

You added a reference to the non-normative section 3.5 ("Enforcing
Multiple Policies") when describing normative requirements. I don't
think the spec should do that; the enforcement of multiple policies
should be specified in normative text and that normative text should
be referenced.

> I haven't added the suggestion regarding a warning message for
> already-loaded content; it's not at all clear how we'd implement such a
> change,

I think browsers should do *something* to help web developers notice
that they're using <meta> CSP in a problematic way. I can see how my
original suggestion might be non-trivial to implement. The requirement
could be worded a different way: The browser must issue a warning
whenever <meta> is used to deliver a CSP policy in a HTTP- or HTTPS-
origin document, unless the browser is certain that there's no
difference between the <meta>-delivered policy and a header- delivered
one. This would be easy to implement.

> and doesn't really match at least one use case (locking down an
> application after it "boots").

Are browsers required to support this for CSP2? If so, the spec should
indicate how it works (it doesn't seem to currently). It would be good
to have test cases in the test suite for this, if so.

Cheers,
Brian
Received on Monday, 19 January 2015 06:35:53 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC