Re: Proposal: A pinning mechanism for CSP?

All I'm saying is that if pinning config can be set via a manifest like
structure vs headers, I'd suggest that headers take precedence.

If I'm way off base or being disruptive, let me know off-list and I'll go
back to lurking and popcorn.

I'm really proud of all of you. I feel this is where websec really gets
done. Keep up the great work!

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

On Jan 23, 2015, at 9:29 AM, Mike West <mkwst@google.com> wrote:

On Fri, Jan 23, 2015 at 6:25 PM, Jim Manico <jim.manico@owasp.org> wrote:

> Ok that's fair.  Yea, to be honest I can even see CSP headers in a
> manifest for some sites. Configuring all this in one place is compelling.
> So I hope we can do a manifest OR per-page headers, with per-page headers
> taking precedence.
>

The pinning model in the proposal uses the existing combination logic for
multiple headers: resources simply need to pass all the policies applied to
a protected resource. I think overriding the pinned policy completely would
undermine its impact to some extent; I'd prefer to avoid doing that unless
there's a good reason to.

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Friday, 23 January 2015 17:39:12 UTC