W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Proposal: A pinning mechanism for CSP?

From: Mike West <mkwst@google.com>
Date: Fri, 23 Jan 2015 16:22:13 +0100
Message-ID: <CAKXHy=fYdoW-EqPVE=8WCtgzozGZeVhmBM0L=yOR7xgMzoRYpw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, yan zhu <yan@mit.edu>
Cc: Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
TL;DR: Moar email. Feedback on
https://w3c.github.io/webappsec/specs/csp-pinning/ would be ever so welcome.

I've had a draft of a pinning mechanism for CSP sitting on my hard drive
for a while now; Yan kicked my butt into gear to get it cleaned up and out
the door for discussion. It's nowhere near complete, and is pretty
hand-wavey in a number of places, but I think the building blocks are there
for something that could be pretty useful for sites that are worried about
CSP's per-resource delivery mechanism. Rather than forcing developers to
"catch them all", we can help developers pin a minimal policy for a host
(and its subdomains), and layer more granular policies on top.

Feedback would be quite appreciated. If there's enough interest (and folks
don't think the idea is insane), I'll clean up the doc a bit more and see
if we can push it out as a FPWD.

Thanks!

+Chris and Ryan, since I stole ideas from PKP and HSTS. Hopefully I only
stole the good ones.

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 23 January 2015 15:23:00 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC