W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2017

Add ability to specify the version of used CSP

From: Taras Ivashchenko <oxdef@yandex-team.ru>
Date: Thu, 09 Mar 2017 12:01:12 +0300
Message-ID: <1489050072.4694.6.camel@yandex-team.ru>
To: WebAppSec WG <public-webappsec@w3.org>

It is awkward to maintain backward compatible CSP policy, e.g. keep in it unsafe-inline with nonce for CSPv1 or frame-
src/child-src. It looks like in the future versions of CSP such problem will be more obvious. 
In some cases in web application it is easer to have support of only the last one standard. 
What do you think about adding ability to specify the version of used CSP? 
It can be done in header name like:

Content-Security-Policy-v3: ...

If browser meets more the one CSP header it should use header with the latest support version.

I had also reported the issue on GitHub but there is no activity in it during 8 days

Taras Ivashchenko
Information Security Officer,
Received on Thursday, 9 March 2017 09:01:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:00 UTC