TL;DR: Moar email. Feedback on https://w3c.github.io/webappsec/specs/csp-pinning/ would be ever so welcome. I've had a draft of a pinning mechanism for CSP sitting on my hard drive for a while now; Yan kicked my butt into gear to get it cleaned up and out the door for discussion. It's nowhere near complete, and is pretty hand-wavey in a number of places, but I think the building blocks are there for something that could be pretty useful for sites that are worried about CSP's per-resource delivery mechanism. Rather than forcing developers to "catch them all", we can help developers pin a minimal policy for a host (and its subdomains), and layer more granular policies on top. Feedback would be quite appreciated. If there's enough interest (and folks don't think the idea is insane), I'll clean up the doc a bit more and see if we can push it out as a FPWD. Thanks! +Chris and Ryan, since I stole ideas from PKP and HSTS. Hopefully I only stole the good ones. -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 23 January 2015 15:23:00 UTC