W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Proposal: A pinning mechanism for CSP?

From: Yan Zhu <yzhu@yahoo-inc.com>
Date: Fri, 30 Jan 2015 18:24:20 +0000 (UTC)
To: Brad Hill <hillbrad@gmail.com>, Mike West <mkwst@google.com>, Deian Stefan <deian@cs.stanford.edu>
Cc: yan zhu <yan@mit.edu>, Dan Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Frederik Braun <fbraun@mozilla.com>, Jim Manico <jim.manico@owasp.org>
Message-ID: <354605093.1890994.1422642260145.JavaMail.yahoo@mail.yahoo.com>
Upon further thought, I agree with Brad/Mike. I think my use case could be addressed as an extension of the TAG's packaging proposal, or an entirely new proposal.

On Friday, January 30, 2015 9:56 AM, Brad Hill <hillbrad@gmail.com> wrote:

We didn't discuss it at AppSec, so you're not missing any notes. 


I like option #2, and Facebook would have real use for such a feature.

I think Yan's use case is valid and interesting, but I don't think it's a CSP pinning feature, it's a something-else meta-stable-crypto-key confinement something feature, and I think both it and CSP would be harmed by trying to shoehorn it in as CSP pinning.


On Fri Jan 30 2015 at 6:06:06 AM Mike West <mkwst@google.com> wrote:

>On Jan 30, 2015 12:56 PM, "Mike West" <mkwst@google.com> wrote:
>> For simplicity's sake, I'd vote for #2, with the option of moving to #3 in the future. That 'no-override' model leaves the majority of the power with the _pin_ and not the _page_, which seems like the right tradeoff.
>I confused myself, apologies. I vote for #2 with the option of moving to #2a in the future. Not #3.
Received on Friday, 30 January 2015 18:25:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:45 UTC