W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: On the Insecurity of Whitelists and the Future of CSP

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 8 Sep 2016 08:50:25 -0700
To: Mike West <mkwst@google.com>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Artur Janc <aaj@google.com>, "Hodges, Jeff" <jeff.hodges@paypal.com>, W3C Web App Security WG <public-webappsec@w3.org>, Craig Francis <craig.francis@gmail.com>
Message-ID: <7e298e2a-5835-86d5-5d97-f44e337c39fa@mozilla.com>
On 9/8/16 6:10 AM, Mike West wrote:
> What syntax issue do we need to discuss? If there are remaining syntax
> questions, we should resolve them quickly, as Chrome is shipping what's
> currently in the spec, and Google sites are beginning to rely on the
> currently specified behavior. :)

I'm uncomfortable with the multilayered "ignore this if that" within a
single directive; it will be especially confusing to developers to have
an ignored whitelist of sites. It would be clearer, and more flexible in
the future if we need to add options or restrictions on
'strict-dynamic', to have a separate directive which overrides
'script-src' in UAs that understand it (as script-src itself overrides
default-src).

Because we may want other dynamic types in the future, and to help
indicate what it's overriding, we would want to rename it to
'dynamic-script' or something.

-Dan Veditz
Received on Thursday, 8 September 2016 15:50:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC