W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

CSP header protection

From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
Date: Wed, 03 Feb 2016 23:16:35 +0800
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D2D83649.29FA4%kepeng.lkp@alibaba-inc.com>
Hello all,

We find that some plugins can modify the content of the HTTP CSP response
header or even delete the whole CSP header. In this way, plugins can inject
the web contents, and this will introduce some security problems.

I searched the archive, this issue was also raised about CSP 1.1 two years
ago:
https://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0165.html
<https://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0165.html>

We propose to add some texts in the CSP spec to emphasize that the CSP
header must not be modified or deleted by the browser or plugins, to avoid
this situation.

What do you think?

Thanks,

Kind Regards

Kepeng Li
Alibaba Group
Received on Wednesday, 3 February 2016 15:17:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC