Re: Proposal: A pinning mechanism for CSP? from Mike West on 2015-01-23 (public-webappsec@w3.org from January 2015)

From: Mike West <mkwst@google.com>
Date: Fri, 23 Jan 2015 18:29:32 +0100
To: Jim Manico <jim.manico@owasp.org>
Cc: Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, yan zhu <yan@mit.edu>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
Message-ID: <CAKXHy=dLtgSCwF2fvTq9ho7xknVk1Aa5P6Q_E2mW_D27xo5KDw@mail.gmail.com>

On Fri, Jan 23, 2015 at 6:25 PM, Jim Manico <jim.manico@owasp.org> wrote:

> Ok that's fair.  Yea, to be honest I can even see CSP headers in a
> manifest for some sites. Configuring all this in one place is compelling.
> So I hope we can do a manifest OR per-page headers, with per-page headers
> taking precedence.
>

The pinning model in the proposal uses the existing combination logic for
multiple headers: resources simply need to pass all the policies applied to
a protected resource. I think overriding the pinned policy completely would
undermine its impact to some extent; I'd prefer to avoid doing that unless
there's a good reason to.

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Friday, 23 January 2015 17:30:19 UTC