W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Strict mixed content checking (was Re: MIX: Exiting last call?)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Sun, 25 Jan 2015 14:55:13 -0800
Message-ID: <CADYDTCDZXGZyGobTZh2ZE_wOZ210-BbHy395R8zOqvgPKGFr5Q@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brian Smith <brian@briansmith.org>, David Walp <David.Walp@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Michael Cooper <cooper@w3.org>
On Mon, Jan 19, 2015 at 11:27 AM, Mike West <mkwst@google.com> wrote:

> On Mon, Jan 19, 2015 at 8:12 PM, Brian Smith <brian@briansmith.org> wrote:
>> Another way of phrasing this question is "Is an empty policy
>> equivalent to no policy?"
> Yes.

​Mozilla's original vision (and implementation, for that matter) was that
an empty policy failed closed and broke your site. Everything we thought
dangerous (within the purview of the spec) was turned off until the site
authors explicitly turned it back on.

This approach fell apart the first time we thought of something new to
block on websites: suddenly sites that had been working fine with CSP broke
until they updated their policy. The approach worked OK for brand new web
features because those sites presumably wouldn't have been using that
feature anyway, but it failed miserably when we wanted to widen the scope
of CSP (incorporating X-frame-options functionality, sandboxed iframes, now
enhanced mixed content blocking). Sites were punished for having tried to
use a security feature.

Rather than have the presence of the CSP header be the opt-in to a fully
restricted state, the individual directives are the opt-in for that sub-set
of the specification.

-Dan Veditz
Received on Sunday, 25 January 2015 22:55:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC