W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: [CSP2] connect-src 'self' and websockets

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 28 Sep 2015 10:18:40 -0700
To: Mike West <mkwst@google.com>, André N. Klingsheim <andre.klingsheim@owasp.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <56097670.10305@mozilla.com>
On 9/28/15 6:43 AM, Mike West wrote:
> I think this is probably worth considering as a simplification for 
> developers, though it complicates the model a little bit by changing
> an origin-based comparison into a host-based comparison. Locking it
> to schemes with the same security properties or better might be
> doable (e.g. 'self' on `http://example.com` could allow
> `ws://example.com ` or `wss://example.com`, but 'self' on
> `https://example.com` would only allow `wss://example.com`.

I do not want CSP to devolve from origin-based to host-based (we've seen
where that gets us with cookies), but I could live with an explicit
exception equating "ws:" and "http:" wrt 'self'. Ports would still have
to match, of course.

Are there non-trivial services that actually run a web socket on the
same port as their normal web pages? If not this change wouldn't help much.

As Mike said, a request for CSP3 -- we're nearly wrapped up for CSP2.

-Dan Veditz
Received on Monday, 28 September 2015 17:19:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC