W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

[Proposal]: Set origin-wide policies via a manifest.

From: Mike West <mkwst@google.com>
Date: Tue, 26 Jul 2016 16:35:19 +0200
Message-ID: <CAKXHy=eZX=FmHH7nLbdPJCEDd1j1TDf4qwEOXTEMkZgKySUr5w@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hello, webappsecians!

I've thrown
https://discourse.wicg.io/t/proposal-set-origin-wide-policies-via-a-manifest/1617
up at WICG, but the folks in this venue are probably the ones from whom I'm
most interested in getting feedback.

https://mikewest.github.io/origin-policy/ sketches out a pinning mechanism
for policies that apply to an entire origin. Among other things, it's meant
as a replacement for the CSP Pinning mechanism this group just relegated to
NOTE status.

In a nutshell, the manifest contains a list of headers (and potentially
other kinds of policy, CORS behavior, for instance) that are to be applied
to each response from an origin, and the general flow is as follows:

1.  The user agent navigates to an origin.
2.  The server points the user agent to a manifest file along with the
response.
3.  The user agent blocks navigation until it retrieves the manifest.
4.  The newly acquired manifest is cached, and applied to the current and
subsequent fetches from the origin.

I hope the examples in https://mikewest.github.io/origin-policy/#examples
make the flow clear.

General feedback is probably best sent to the WICG thread
<https://discourse.wicg.io/t/proposal-set-origin-wide-policies-via-a-manifest/1617>.
Specific feedback is probably best sent as a GitHub issue
<https://github.com/mikewest/origin-policy/issues>.

Thanks! Hopefully this concept isn't nuts.

-mike
Received on Tuesday, 26 July 2016 14:36:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC