'strict-dynamic' syntax (was Re: On the Insecurity of Whitelists and the Future of CSP)

Hey Dan, I'll fork this thread for clarity.

On Thu, Sep 8, 2016 at 5:50 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> On 9/8/16 6:10 AM, Mike West wrote:
> > What syntax issue do we need to discuss? If there are remaining syntax
> > questions, we should resolve them quickly, as Chrome is shipping what's
> > currently in the spec, and Google sites are beginning to rely on the
> > currently specified behavior. :)
>
> I'm uncomfortable with the multilayered "ignore this if that" within a
> single directive; it will be especially confusing to developers to have
> an ignored whitelist of sites. It would be clearer, and more flexible in
> the future if we need to add options or restrictions on
> 'strict-dynamic', to have a separate directive which overrides
> 'script-src' in UAs that understand it (as script-src itself overrides
> default-src).
>
> Because we may want other dynamic types in the future, and to help
> indicate what it's overriding, we would want to rename it to
> 'dynamic-script' or something.
>

My recollection is that we went back and forth on this a bit at the F2F (
https://www.w3.org/2011/webappsec/minutes/2016-05-17-webappsec-minutes.html),
the list (
https://lists.w3.org/Archives/Public/public-webappsec/2016Jun/0007.html), and
agreed upon the current syntax. Dev expressed some reservations about the
syntax, but ended up agreeing with Artur on the current framing (renaming
from 'unsafe-dynamic' to 'strict-dynamic'). Brad also expressed some
reservations early on in the thread, but didn't object to the final
framing. Mozilla didn't really participate in that conversation. I'm a
little surprised that you're expressing worries about the syntax now. :)

That said, Google is probably the only high-volume consumer of the syntax
right now. We probably have a (narrowing) window for change.

Would you mind putting together a more concrete proposal that we can talk
about at TPAC? What flexibility and future types would you like to
guarantee?

-mike

Received on Thursday, 8 September 2016 16:15:55 UTC