W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Proposal: A pinning mechanism for CSP?

From: Mike West <mkwst@google.com>
Date: Fri, 23 Jan 2015 20:20:04 +0100
Message-ID: <CAKXHy=d6=i4i1aRtmkacxOP-aRcKMDvOt04DSYZp-wBV3Nv7Vw@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Jim Manico <jim.manico@owasp.org>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, yan zhu <yan@mit.edu>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Dan Veditz <dveditz@mozilla.com>
On Fri, Jan 23, 2015 at 7:29 PM, Brad Hill <hillbrad@gmail.com> wrote:

> >The pinning model in the proposal uses the existing
> > combination logic for multiple headers: resources simply
> > need to pass all the policies applied to a protected resource.
> > I think overriding the pinned policy completely would undermine
> > its impact to some extent; I'd prefer to avoid doing that unless
> > there's a good reason to.
> I don't know about that.  I like the idea of "here's a backup policy in
> case things go wrong and we forget to send one".  For example, if an
> application ends up returning an error page before the logic that applies
> the policy was reached.

I hadn't thought about the problem this way; it's a compelling alternative,
mostly because it reduces the deployment risk to (practically) nil.

The overall concept, then, would be "Every page on my host(s) MUST have a
Content Security Policy.", which is similar conceptually to HSTS's promise
that every page on a host will be delivered over HTTPS. I think it's worth
exploring (sorry, Jim; I shouldn't have dismissed the idea so quickly).

I don't want to entirely give up the stricter "Every page on my host(s)
MUST have a CSP that's at least this strict." variant. I think Yan had some
use cases that would benefit from that sort of promise. Perhaps we can do
both with something horrible like a `no-override` directive?

Also, if we allow overrides at all, I'd suggest that `<meta>`-delivered
policies shouldn't override pinned policies. That seems like a bad idea.

Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 23 January 2015 19:20:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC