W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Proposal: A pinning mechanism for CSP?

From: Jim Manico <jim.manico@owasp.org>
Date: Fri, 23 Jan 2015 09:11:18 -0800
Message-ID: <6320107662973669095@unknownmsgid>
To: Frederik Braun <fbraun@mozilla.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, yan zhu <yan@mit.edu>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
We need to apply these headers differently per-page at times, so I say
no to a manifest-like structure.

--
Jim Manico
@Manicode
(808) 652-3805

> On Jan 23, 2015, at 9:04 AM, Frederik Braun <fbraun@mozilla.com> wrote:
>
> With HPKP, HSTS, CSP-Pinning and all these headers, I feel like we'd
> rather need a Site Settings spec.
>
> Wait, something like a manifest!
>
> Oh.. :P
>
>> On 23.01.2015 16:22, Mike West wrote:
>> TL;DR: Moar email. Feedback
>> on https://w3c.github.io/webappsec/specs/csp-pinning/ would be ever so
>> welcome.
>>
>> I've had a draft of a pinning mechanism for CSP sitting on my hard drive
>> for a while now; Yan kicked my butt into gear to get it cleaned up and
>> out the door for discussion. It's nowhere near complete, and is pretty
>> hand-wavey in a number of places, but I think the building blocks are
>> there for something that could be pretty useful for sites that are
>> worried about CSP's per-resource delivery mechanism. Rather than forcing
>> developers to "catch them all", we can help developers pin a minimal
>> policy for a host (and its subdomains), and layer more granular policies
>> on top.
>>
>> Feedback would be quite appreciated. If there's enough interest (and
>> folks don't think the idea is insane), I'll clean up the doc a bit more
>> and see if we can push it out as a FPWD.
>>
>> Thanks!
>>
>> +Chris and Ryan, since I stole ideas from PKP and HSTS. Hopefully I only
>> stole the good ones.
>>
>> --
>> Mike West <mkwst@google.com <mailto:mkwst@google.com>>, @mikewest
>>
>> Google Germany GmbH, Dienerstrasse 12, 80331 München,
>> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
>> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
>> Flores
>> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
>
Received on Friday, 23 January 2015 17:11:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC