W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

Re: [Proposal]: Set origin-wide policies via a manifest.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 28 Jul 2016 09:40:52 +0200
Message-ID: <CADnb78iOu=Tg1Dc3ZfcwJAmC-vBAFi=456yq0nfqfDLsAdXyKQ@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Mike West <mkwst@google.com>, Joel Weinberger <jww@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, "Mike O'Neill" <michael.oneill@baycloud.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jul 28, 2016 at 12:43 AM, Brad Hill <hillbrad@gmail.com> wrote:
> 1) If I'm reading this correctly, you could never have a more relaxed CSP
> for a specific resource than the baseline value in an Origin Policy due to
> the way header combination works for CSP.  It seems like some sort of escape
> hatch is necessary to disable Origin-Policy processing for a given response?
> (or you have to be absolutely 100% certain about the baseline policy
> contents and probably still send large delta policies with almost every
> request)

The opt-out is pointing to a different policy (or not pointing to one
at all). That will lead to the browser disregarding the existing
policy of course and notably doesn't work for CORS-preflights (too
late at that point), but it's a pretty good defense-in-depth that
crossdomain.xml didn't offer.

Received on Thursday, 28 July 2016 07:41:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC