- From: Taras Ivashchenko <oxdef@yandex-team.ru>
- Date: Mon, 20 Mar 2017 13:45:49 +0300
- To: mkwst@google.com
- Cc: WebAppSec WG <public-webappsec@w3.org>, Bil Corry <bil@corry.biz>
- Message-ID: <1490006749.2983.10.camel@yandex-team.ru>
Mike? В Пт, 10/03/2017 в 12:26 +0300, Taras Ivashchenko пишет: > +mkwst@google.com > > 9 years ago...and nice thread. I like the idea about some handshake between browser and server. > The only thing that I'm worried about is additional logic on webserver site like "if we receive CSP version N from the > browser then send relevant header with policy". > > Mike, what do you think about CSP built-in versioning? > > В Чт, 09/03/2017 в 07:43 -0700, Bil Corry пишет: > > Back in 2008, I provided feedback on a newly proposed CSP specification. My very first item addressed a shortcoming > > regarding CSP versioning. > > > > I suggested the client send a header with the version of CSP it supports (if any), and the server could then respond > > with the CSP header for that version (or make other security choices). > > > > I even called out that it would be better than having multiple CSP headers expressed by the server, e.g. > > > > X-Content-Security-Policy: ... > > X-Content-Security-Policy2: ... > > X-Content-Security-Policy3: ... > > X-Content-Security-Policy4: ... > > X-Content-Security-Policy5: ... > > > > Instead, the spec omitted a versioning scheme, perhaps because some believed that there would never be a version 2 > > of > > CSP. > > > > The entire thread is here and makes for interesting reading, given what we know today: > > > > https://groups.google.com/forum/m/#!msg/mozilla.dev.security/slJarIvaMM0/discussion > > > > > > - Bil > > > > On Mar 9, 2017, at 2:01 AM, Taras Ivashchenko <oxdef@yandex-team.ru> wrote: > > > > > Hello! > > > > > > It is awkward to maintain backward compatible CSP policy, e.g. keep in it unsafe-inline with nonce for CSPv1 or > > > frame- > > > src/child-src. It looks like in the future versions of CSP such problem will be more obvious. > > > In some cases in web application it is easer to have support of only the last one standard. > > > What do you think about adding ability to specify the version of used CSP? > > > It can be done in header name like: > > > > > > Content-Security-Policy-v3: ... > > > > > > If browser meets more the one CSP header it should use header with the latest support version. > > > > > > I had also reported the issue on GitHub but there is no activity in it during 8 days > > > https://github.com/w3c/webappsec-csp/issues/189 > > > > > > -- > > > Taras Ivashchenko > > > Information Security Officer, > > > Yandex -- Taras Ivashchenko Information Security Officer, Yandex
Received on Monday, 20 March 2017 10:46:27 UTC