W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2017

Re: Add ability to specify the version of used CSP

From: Taras Ivashchenko <oxdef@yandex-team.ru>
Date: Fri, 10 Mar 2017 12:26:39 +0300
Message-ID: <1489137999.2949.4.camel@yandex-team.ru>
To: Bil Corry <bil@corry.biz>
Cc: WebAppSec WG <public-webappsec@w3.org>, mkwst@google.com
+mkwst@google.com

9 years ago...and nice thread. I like the idea about some handshake between browser and server.
The only thing that I'm worried about is additional logic on webserver site like "if we receive CSP version N from the
browser then send relevant header with policy". 

Mike, what do you think about CSP built-in versioning?

В Чт, 09/03/2017 в 07:43 -0700, Bil Corry пишет:
> Back in 2008, I provided feedback on a newly proposed CSP specification.  My very first item addressed a shortcoming
> regarding CSP versioning.
> 
> I suggested the client send a header with the version of CSP it supports (if any), and the server could then respond
> with the CSP header for that version (or make other security choices).
> 
> I even called out that it would be better than having multiple CSP headers expressed by the server, e.g.
> 
>         X-Content-Security-Policy: ...
>         X-Content-Security-Policy2: ...
>         X-Content-Security-Policy3: ...
>         X-Content-Security-Policy4: ...
>         X-Content-Security-Policy5: ...
> 
> Instead, the spec omitted a versioning scheme, perhaps because some believed that there would never be a version 2 of
> CSP.
> 
> The entire thread is here and makes for interesting reading, given what we know today:
> 
> https://groups.google.com/forum/m/#!msg/mozilla.dev.security/slJarIvaMM0/discussion
> 
> 
> - Bil
> 
> On Mar 9, 2017, at 2:01 AM, Taras Ivashchenko <oxdef@yandex-team.ru> wrote:
> 
> > Hello!
> > 
> > It is awkward to maintain backward compatible CSP policy, e.g. keep in it unsafe-inline with nonce for CSPv1 or
> > frame-
> > src/child-src. It looks like in the future versions of CSP such problem will be more obvious. 
> > In some cases in web application it is easer to have support of only the last one standard. 
> > What do you think about adding ability to specify the version of used CSP? 
> > It can be done in header name like:
> > 
> > Content-Security-Policy-v3: ...
> > 
> > If browser meets more the one CSP header it should use header with the latest support version.
> > 
> > I had also reported the issue on GitHub but there is no activity in it during 8 days
> > https://github.com/w3c/webappsec-csp/issues/189
> > 
> > -- 
> > Taras Ivashchenko
> > Information Security Officer,
> > Yandex
-- 
Taras Ivashchenko
Information Security Officer,
Yandex
Received on Friday, 10 March 2017 09:27:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC