Re: Proposal: A pinning mechanism for CSP?

With HPKP, HSTS, CSP-Pinning and all these headers, I feel like we'd
rather need a Site Settings spec.

Wait, something like a manifest!

Oh.. :P

On 23.01.2015 16:22, Mike West wrote:
> TL;DR: Moar email. Feedback
> on https://w3c.github.io/webappsec/specs/csp-pinning/ would be ever so
> welcome.
> 
> I've had a draft of a pinning mechanism for CSP sitting on my hard drive
> for a while now; Yan kicked my butt into gear to get it cleaned up and
> out the door for discussion. It's nowhere near complete, and is pretty
> hand-wavey in a number of places, but I think the building blocks are
> there for something that could be pretty useful for sites that are
> worried about CSP's per-resource delivery mechanism. Rather than forcing
> developers to "catch them all", we can help developers pin a minimal
> policy for a host (and its subdomains), and layer more granular policies
> on top.
> 
> Feedback would be quite appreciated. If there's enough interest (and
> folks don't think the idea is insane), I'll clean up the doc a bit more
> and see if we can push it out as a FPWD.
> 
> Thanks!
> 
> +Chris and Ryan, since I stole ideas from PKP and HSTS. Hopefully I only
> stole the good ones.
> 
> --
> Mike West <mkwst@google.com <mailto:mkwst@google.com>>, @mikewest
> 
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Friday, 23 January 2015 17:02:27 UTC