W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2017

Proposal: Compositional CSP

From: Stefano Calzavara <calzavara@dais.unive.it>
Date: Fri, 9 Jun 2017 10:16:13 +0200
Message-ID: <CAGVWdyUCVM+BNpJekUvtr-_HCisROuk4OF7AjWMPTqzC+Ha+0Q@mail.gmail.com>
To: public-webappsec@w3.org
Dear WebAppSec members,

our research group at Università Ca' Foscari Venezia has been working on
CSP during the last few months. Based on the analysis of real-world
scenarios, we observed that the static nature of CSP white-lists creates
troubles at configuring CSP correctly. Strict CSP (based on nonces) is
definitely a step in the right direction, but we believe it does not solve
all the issues we found in the wild, such as HTTP redirects and
advertisements. We are thus proposing Compositional CSP, an extension of
CSP where the enforced content security policy is built from an initial
policy written by the page developers and the policies supplied by the
providers of the included contents.

The results of our research will be presented at USENIX Security 2017, you
can find a pre-print of the paper attached to the present email. I hope you
will enjoy the reading and that our idea could be inspiring to address the
expressiveness issues of CSP we identified. Do you think Compositional CSP
could be helpful in real browsers?

Best,
--
Stefano


Received on Friday, 9 June 2017 08:16:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:23 UTC