W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

Re: Non-browser implementation of CSP (was Re: CSP3 as a polylithic set of modules?)

From: Mike West <mkwst@google.com>
Date: Mon, 5 Oct 2015 14:46:58 +0200
Message-ID: <CAKXHy=fFn97QZ=qrThShvMJ7e-94BVpiaXwQ4v=D57fMhDbieA@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Mark Nottingham <mnot@mnot.net>, Travis Leithead <Travis.Leithead@microsoft.com>
On Thu, Oct 1, 2015 at 7:39 PM, Brian Smith <brian@briansmith.org> wrote:

> On Tue, Sep 29, 2015 at 9:00 PM, Mike West <mkwst@google.com> wrote:
>> On Tue, Sep 29, 2015 at 2:47 PM, Brian Smith <brian@briansmith.org>
>> wrote:
>> But regardless of the timing of anything, the time gap between CSP and
>> CSP2 was huge, and I don't think the actual diff justifies that timeline.
>> I'd like to move a bit more quickly; everything we're doing feels slow.
> I agree.

(I'd appreciate thoughts, from you and others, on how we could speed things

>> Developers who aren't using the templating solutions that exist are not
>>> worth spending time on, except for encouraging them to adopt good
>>> templating solutions.
>> Belts and suspenders, right? I mean, we have pretty good templating
>> solutions at Google, but we still run into regular XSS on our sites.
> Yes, but I think both the belt and suspenders could reasonably be on the
> production side. Templating systems shouldn't stop doing what they are
> currently doing; instead they should *add* CSP support.

This seems like a totally reasonable thing for templating systems to do!

I disagree that we shouldn't also have suspenders in the browser. Belts +
suspenders + MOAR SUSPENDERS seems like a winning combination.

Or maybe the browser is the belt. Either way, the security team at Google
has found CSP useful in terms of providing an extra layer of confidence
about the integrity of the systems they're responsible for. I think it's a
reasonable accessory for the UA to offer.

> As above, that deals with a large chunk of the problem, but it doesn't
>> deal with redirects. I think we're going to require some Fetch integration
>> regardless for that piece, and since dealing with redirects is the same as
>> dealing with the initial request (hooray recursive algorithms), it's not
>> clear to me what we'd gain by defining a DOM-based ruleset.
> You are right

In this case, I'd agree with Dan's assessment: we have to write this code
anyway, and it deals with 100% of the enforcement that we need, so I don't
see a ton of value in adding a DOM-manipulation layer of enforcement as

Could you elaborate a bit on what you'd like to see the implementation do?
> One of the problems with CSP as enforced in browsers today is that, even
> when the browser blocks an XSS from loading some content, the HTML of the
> XSS is still in the DOM. I'd like to find some way of preventing the XSS
> from ever making it into the DOM. And, I'd like to be able to separate out
> the parts of CSP that can be done production-side from the parts that have
> to be done by the browser (e.g. redirects).

What is the value of that separation?

I understand that it could help template-engine developers add CSP-related
features into their engines. Is that the extent of the benefit?

Received on Monday, 5 October 2015 12:47:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:52 UTC