- From: Brian Smith <brian@briansmith.org>
- Date: Mon, 28 Sep 2015 11:15:16 -1000
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Mark Nottingham <mnot@mnot.net>, Travis Leithead <Travis.Leithead@microsoft.com>
- Message-ID: <CAFewVt4TGHz8tn+suhqx29uJLOun=XmLnu1qj1TNv0GyfWBknw@mail.gmail.com>
Mike West <mkwst@google.com> wrote: > We've had some success splitting out features like Upgrade recently. > Perhaps we can go even further to break up our monolith into a set of > miniliths that lean on each other in various ways? > > I have a half-baked idea to split CSP3 into a number of documents along > the following lines: > > * "CSP: Core": defines the headers, their syntax, the general processing > model, the binding of policies to Documents and Workers, and provide hooks > for the general concept of "violation" and reporting that other documents > could poke at (reporting might be worth breaking out into a separate > document, actually). > Reporting should be specified, normatively, in Javascript code that uses the CSP2 DOM events and XHR to do what browser's reporting modules do. I don't think reporting is really "core" to CSP, even though it is a very useful feature. In particular, the reporting mechanism only makes sense for browser implementations of CSP, but it doesn't really make sense for server-side or client-side templating engines that take a CSP to guide them in rejecting bad inputs (input-side validation instead of output-side validation of CSP). So, I think reporting should be moved out of core. > As a test balloon for this last bit of the proposal, I've sketched out > mnot's `cookie-scope` idea as a separate document at > https://w3c.github.io/webappsec/specs/csp-cookies/. WDYT? On the one > hand, it's pretty small. On the other, perhaps browser vendors could be > encouraged to tick a number of tiny checkboxes faster than they might tick > a big checkbox, even if the functionality is the same? > The main advantage I see in splitting out features into multiple documents is that things that trigger the W3C process causing a document reverting back to CR from PR (etc.) would negatively affect smaller pieces. Since the goal seems to be to prioritize features that browsers should implement right away, I think it is worth categorizing features this way: 1. Features that everybody implements (approximately CSP 1). 2. Aspects that affect compatibility with CSP-1-only implementations. For example, if there are aspects of the CSP 2 syntax that cause CSP-1-only implementations to fail to parse the policy, because the policy conforms to CSP 2 syntax but not CSP 1 syntax, then these issues should be addressed in some way. 3. Apsects of CSP that are really important for a browser to implement, because they cannot be enforced by input-side validation of CSP policy conformance (on the server or in JS code implementing a templating engine). For example, "frame-ancestor" is very important for browsers to implement because it can't be enforced input-side, but new source-list stuff is less important because the templating engine can and should have already have prevented all that badness in the first place before the browser sees it. 4. The defense-in-depth features that are redundant with good input-side validation practices but which are critical if you have a bunch of terrible code sitting on your servers with bugs that you want to use CSP to wallpaper over. Ultimately, I think it is unreasonable to expect web browsers to invest time to implement features that just wallpaper over server-side bugs, and I think a lot of CSP would actually be classified that way. I think CSP is brilliant but I think our emphasis on browser enforcement of CSP policies is counterproductive in the long run. Most of CSP should actually be enforced by the templating engines. I think the idea of sending a CSP header with a bunch of source-list directives for the browser to enforce will be considered an obsolete practice in a few years as input-side enforcement of CSP gets implemented and deployed. > P.P.S. I'm also starting to think that Brian was right about CSP being > better if we lock it down it to purely restrictive directives, and move > things like `referrer` out to their own whatever. > Brilliant! > Don't tell him I said so, though. > Will do. He'd never let you forget it. :) Cheers, Brian -- https://briansmith.org/
Received on Monday, 28 September 2015 21:15:46 UTC