W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2017

Re: Add ability to specify the version of used CSP

From: Taras Ivashchenko <oxdef@yandex-team.ru>
Date: Mon, 20 Mar 2017 13:45:49 +0300
Message-ID: <1490006749.2983.10.camel@yandex-team.ru>
To: mkwst@google.com
Cc: WebAppSec WG <public-webappsec@w3.org>, Bil Corry <bil@corry.biz>
Mike?

В Пт, 10/03/2017 в 12:26 +0300, Taras Ivashchenko пишет:
> +mkwst@google.com
> 
> 9 years ago...and nice thread. I like the idea about some handshake between browser and server.
> The only thing that I'm worried about is additional logic on webserver site like "if we receive CSP version N from the
> browser then send relevant header with policy". 
> 
> Mike, what do you think about CSP built-in versioning?
> 
> В Чт, 09/03/2017 в 07:43 -0700, Bil Corry пишет:
> > Back in 2008, I provided feedback on a newly proposed CSP specification.  My very first item addressed a shortcoming
> > regarding CSP versioning.
> > 
> > I suggested the client send a header with the version of CSP it supports (if any), and the server could then respond
> > with the CSP header for that version (or make other security choices).
> > 
> > I even called out that it would be better than having multiple CSP headers expressed by the server, e.g.
> > 
> >         X-Content-Security-Policy: ...
> >         X-Content-Security-Policy2: ...
> >         X-Content-Security-Policy3: ...
> >         X-Content-Security-Policy4: ...
> >         X-Content-Security-Policy5: ...
> > 
> > Instead, the spec omitted a versioning scheme, perhaps because some believed that there would never be a version 2
> > of
> > CSP.
> > 
> > The entire thread is here and makes for interesting reading, given what we know today:
> > 
> > https://groups.google.com/forum/m/#!msg/mozilla.dev.security/slJarIvaMM0/discussion
> > 
> > 
> > - Bil
> > 
> > On Mar 9, 2017, at 2:01 AM, Taras Ivashchenko <oxdef@yandex-team.ru> wrote:
> > 
> > > Hello!
> > > 
> > > It is awkward to maintain backward compatible CSP policy, e.g. keep in it unsafe-inline with nonce for CSPv1 or
> > > frame-
> > > src/child-src. It looks like in the future versions of CSP such problem will be more obvious. 
> > > In some cases in web application it is easer to have support of only the last one standard. 
> > > What do you think about adding ability to specify the version of used CSP? 
> > > It can be done in header name like:
> > > 
> > > Content-Security-Policy-v3: ...
> > > 
> > > If browser meets more the one CSP header it should use header with the latest support version.
> > > 
> > > I had also reported the issue on GitHub but there is no activity in it during 8 days
> > > https://github.com/w3c/webappsec-csp/issues/189
> > > 
> > > -- 
> > > Taras Ivashchenko
> > > Information Security Officer,
> > > Yandex
-- 
Taras Ivashchenko
Information Security Officer,
Yandex
Received on Monday, 20 March 2017 10:46:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC