Re: Proposal: A pinning mechanism for CSP? from Mike West on 2015-01-30 (public-webappsec@w3.org from January 2015)

From: Mike West <mkwst@google.com>
Date: Fri, 30 Jan 2015 12:56:22 +0100
To: Deian Stefan <deian@cs.stanford.edu>
Cc: Brad Hill <hillbrad@gmail.com>, Yan Zhu <yzhu@yahoo-inc.com>, Jim Manico <jim.manico@owasp.org>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, yan zhu <yan@mit.edu>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Dan Veditz <dveditz@mozilla.com>
Message-ID: <CAKXHy=cdxgYY3witbvpaGjAcupEy9xqtBDR=UhGqo0P6qA2RHw@mail.gmail.com>

On Fri, Jan 30, 2015 at 6:45 AM, Deian Stefan <deian@cs.stanford.edu> wrote:

> Wish I was at AppSec to hear the discussion :)
>

If there was discussion, it would be nice if someone took notes and posted
them. *cough*

> Instead of overriding the pinned policy with the header-supplied policy,
> have you considered treating the pinned policy as a base policy and
> requiring the CSP header to provide an `override-base` directive to
> override the pinned policy? (I don't think that this is incompatible
> with `no-override`.) This clearly favors security over deployability,
> but I'm curious to hear if there was any discussion about this.
>

This ends up being the same as the initial proposal, but with an option on
the page's side rather than the pin's side. I guess I'd suggest that we
should just pick one of the ~3 proposed models, and run with it.

That is, either:

1. The pin always applies to every resource loaded from a set of hosts, and
can be combined with (but not overridden by) a page's policy.

2. The pin applies only to any resource loaded from a set of hosts that
doesn't contain it's own policy.
2a. The pin applies only to any resource loaded from a set of hosts that
doesn't contain it's own policy, unless 'no-override' is set, in which case
#1 applies.

3. The pin applies to every resource loaded from a set of hosts that
doesn't contain a policy with a 'override-
pin' directive.
3a. The pin applies to every resource loaded from a set of hosts that
doesn't contain a policy with a 'override-pin' directive, unless
'no-override' is set in the pin, in which case #1 applies.

For simplicity's sake, I'd vote for #2, with the option of moving to #3 in
the future. That 'no-override' model leaves the majority of the power with
the _pin_ and not the _page_, which seems like the right tradeoff.

WDYT?

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Friday, 30 January 2015 11:57:11 UTC