W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Proposal: A pinning mechanism for CSP?

From: Jim Manico <jim.manico@owasp.org>
Date: Fri, 23 Jan 2015 09:38:43 -0800
Message-ID: <3600422504158421056@unknownmsgid>
To: Mike West <mkwst@google.com>
Cc: Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, yan zhu <yan@mit.edu>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
All I'm saying is that if pinning config can be set via a manifest like
structure vs headers, I'd suggest that headers take precedence.

If I'm way off base or being disruptive, let me know off-list and I'll go
back to lurking and popcorn.

I'm really proud of all of you. I feel this is where websec really gets
done. Keep up the great work!

Jim Manico
(808) 652-3805

On Jan 23, 2015, at 9:29 AM, Mike West <mkwst@google.com> wrote:

On Fri, Jan 23, 2015 at 6:25 PM, Jim Manico <jim.manico@owasp.org> wrote:

> Ok that's fair.  Yea, to be honest I can even see CSP headers in a
> manifest for some sites. Configuring all this in one place is compelling.
> So I hope we can do a manifest OR per-page headers, with per-page headers
> taking precedence.

The pinning model in the proposal uses the existing combination logic for
multiple headers: resources simply need to pass all the policies applied to
a protected resource. I think overriding the pinned policy completely would
undermine its impact to some extent; I'd prefer to avoid doing that unless
there's a good reason to.

Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 23 January 2015 17:39:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC