- From: Taras Ivashchenko <oxdef@yandex-team.ru>
- Date: Fri, 10 Mar 2017 12:26:39 +0300
- To: Bil Corry <bil@corry.biz>
- Cc: WebAppSec WG <public-webappsec@w3.org>, mkwst@google.com
- Message-ID: <1489137999.2949.4.camel@yandex-team.ru>
+mkwst@google.com 9 years ago...and nice thread. I like the idea about some handshake between browser and server. The only thing that I'm worried about is additional logic on webserver site like "if we receive CSP version N from the browser then send relevant header with policy". Mike, what do you think about CSP built-in versioning? В Чт, 09/03/2017 в 07:43 -0700, Bil Corry пишет: > Back in 2008, I provided feedback on a newly proposed CSP specification. My very first item addressed a shortcoming > regarding CSP versioning. > > I suggested the client send a header with the version of CSP it supports (if any), and the server could then respond > with the CSP header for that version (or make other security choices). > > I even called out that it would be better than having multiple CSP headers expressed by the server, e.g. > > X-Content-Security-Policy: ... > X-Content-Security-Policy2: ... > X-Content-Security-Policy3: ... > X-Content-Security-Policy4: ... > X-Content-Security-Policy5: ... > > Instead, the spec omitted a versioning scheme, perhaps because some believed that there would never be a version 2 of > CSP. > > The entire thread is here and makes for interesting reading, given what we know today: > > https://groups.google.com/forum/m/#!msg/mozilla.dev.security/slJarIvaMM0/discussion > > > - Bil > > On Mar 9, 2017, at 2:01 AM, Taras Ivashchenko <oxdef@yandex-team.ru> wrote: > > > Hello! > > > > It is awkward to maintain backward compatible CSP policy, e.g. keep in it unsafe-inline with nonce for CSPv1 or > > frame- > > src/child-src. It looks like in the future versions of CSP such problem will be more obvious. > > In some cases in web application it is easer to have support of only the last one standard. > > What do you think about adding ability to specify the version of used CSP? > > It can be done in header name like: > > > > Content-Security-Policy-v3: ... > > > > If browser meets more the one CSP header it should use header with the latest support version. > > > > I had also reported the issue on GitHub but there is no activity in it during 8 days > > https://github.com/w3c/webappsec-csp/issues/189 > > > > -- > > Taras Ivashchenko > > Information Security Officer, > > Yandex -- Taras Ivashchenko Information Security Officer, Yandex
Received on Friday, 10 March 2017 09:27:15 UTC