W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

'strict-dynamic' syntax (was Re: On the Insecurity of Whitelists and the Future of CSP)

From: Mike West <mkwst@google.com>
Date: Thu, 8 Sep 2016 18:15:05 +0200
Message-ID: <CAKXHy=ejttJC=HfhxoX55rV9DZLJ0yD+AaOhb+Qp3vj6ckd1TA@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Christoph Kerschbaumer <ckerschbaumer@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, Artur Janc <aaj@google.com>, "Hodges, Jeff" <jeff.hodges@paypal.com>, W3C Web App Security WG <public-webappsec@w3.org>, Craig Francis <craig.francis@gmail.com>
Hey Dan, I'll fork this thread for clarity.

On Thu, Sep 8, 2016 at 5:50 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> On 9/8/16 6:10 AM, Mike West wrote:
> > What syntax issue do we need to discuss? If there are remaining syntax
> > questions, we should resolve them quickly, as Chrome is shipping what's
> > currently in the spec, and Google sites are beginning to rely on the
> > currently specified behavior. :)
>
> I'm uncomfortable with the multilayered "ignore this if that" within a
> single directive; it will be especially confusing to developers to have
> an ignored whitelist of sites. It would be clearer, and more flexible in
> the future if we need to add options or restrictions on
> 'strict-dynamic', to have a separate directive which overrides
> 'script-src' in UAs that understand it (as script-src itself overrides
> default-src).
>
> Because we may want other dynamic types in the future, and to help
> indicate what it's overriding, we would want to rename it to
> 'dynamic-script' or something.
>

My recollection is that we went back and forth on this a bit at the F2F (
https://www.w3.org/2011/webappsec/minutes/2016-05-17-webappsec-minutes.html),
the list (
https://lists.w3.org/Archives/Public/public-webappsec/2016Jun/0007.html), and
agreed upon the current syntax. Dev expressed some reservations about the
syntax, but ended up agreeing with Artur on the current framing (renaming
from 'unsafe-dynamic' to 'strict-dynamic'). Brad also expressed some
reservations early on in the thread, but didn't object to the final
framing. Mozilla didn't really participate in that conversation. I'm a
little surprised that you're expressing worries about the syntax now. :)

That said, Google is probably the only high-volume consumer of the syntax
right now. We probably have a (narrowing) window for change.

Would you mind putting together a more concrete proposal that we can talk
about at TPAC? What flexibility and future types would you like to
guarantee?

-mike
Received on Thursday, 8 September 2016 16:15:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC