Re: Finalizing the shape of CSP ‘unsafe-dynamic’ from Devdatta Akhawe on 2016-06-06 (public-webappsec@w3.org from June 2016)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 6 Jun 2016 07:45:33 -0700
To: Mike West <mkwst@google.com>
Cc: Artur Janc <aaj@google.com>, Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>, Daniel Bates <dabates@apple.com>, Devdatta Akhawe <dev@dropbox.com>
Message-ID: <CAPfop_1WoLA_J1xEUoOzzY5Zq1ZQq-3YaSFea+811ASdvGYTzA@mail.gmail.com>

>
>
>>>>>>>> I am a fan of #3 over #2. CSP is already pretty confusing and I
>> value anything that tries to make it simpler.
>>
>
That the "allow-dynamic" doesn't implicitly drop the URI whitelist.

Are there use-cases for these separately? I'm all for adding things to the
> platform if they're useful, but I'm not convinced from this thread that
> these keywords add anything other than complexity. That is, Brad can
> accomplish the things he's interested in with two policies, which I think
> actually turns out to be a more powerful primitive than splitting the
> keywords.
>

hmm .. the use case I am interested in is script-src
https://www.dropbox.com/script/require.js 'allow-dynamic'

Right now, this would force me to use a nonce. The nonce then is a leakable
token present in the HTML of the page. Not a huge risk, but still.


> Concretely, would Dropbox use one (or both?) of these keywords if we
> implemented them?
>

Not really sure yet. But, I am inclined towards the script-src example
above.

--dev


Based on the experience Artur is sharing, the current behavior seems to
> meet most needs. I agree that it's complicated, but I think that's a
> fundamental critique of the whole project at this point. :)
>
> -mike
>

Received on Monday, 6 June 2016 14:46:20 UTC