Re: [CSP2] Large CSP headers from Aaron Goldman on 2019-12-29 (public-webappsec@w3.org from December 2019)

From: Aaron Goldman <goldmanaaron@gmail.com>
Date: Sat, 28 Dec 2019 16:56:28 -0800
Cc: public-webappsec@w3.org
Message-ID: <CAE6sXqikdW5r8Oh6SwcO17UVnwR5+umH8OwVLmzoavq2JQGsSQ@mail.gmail.com>

Is it time to seriously consider adding includes to the csp spec
Large headers that could be chached if they where included from a URL are
becoming a common problem

On Sat, Dec 28, 2019, 4:34 PM Craig Francis <craig.francis@gmail.com> wrote:

> On Sun, 29 Dec 2019 at 00:25, Ángel <angel@16bits.net> wrote:
>
>> I have seen weird errors when setting such none CSP. Such as images (even
>> just the favicon) or pdf failing to load when accessed directly in the
>> browser.
>
>
>
> Yep, but this is for an API, so the browser shouldn't be loading this as a
> page... it's just there incase something goes wrong, where a HTML response
> (potentially malicious) was provided.
>
> :-)
>
>
>
> On Sun, 29 Dec 2019 at 00:25, Ángel <angel@16bits.net> wrote:
>
>> On 2019-12-16 at 13:58 +0000, Craig Francis wrote:
>> > nosniff might not be set, or the content-type might be wrong (the API
>> > might respond with "text/html")... personally I just like having all
>> > the restrictions in place, just in case.
>> >
>> > All of my web pages return a custom CSP header for each page (only
>> > allowing what that page needs), but I'm experimenting with the
>> > equivalent of the Apache `Header setifempty` rule to set a default CSP
>> > of "default-src 'none'; etc" for any response that hasn't specified
>> > it's own.
>> >
>> > Unfortunately `setifempty` doesn't work with fcgi, so I'm currently
>> > using the following on my development server:
>> >
>> >         Header set "Content-Security-Policy" "default-src 'none';
>> >         base-uri 'none'; form-action 'none'; frame-ancestors 'none';
>> >         block-all-mixed-content" "expr=-z
>> >         %{resp:Content-Security-Policy}"
>> >
>> > Assuming it goes well, it will be used on the Live servers in the new
>> > year.
>> >
>> > Craig
>>
>> I have seen weird errors when setting such none CSP. Such as images
>> (even just the favicon) or pdf failing to load when accessed directly in
>> the browser.
>>
>> So expect to see CSP failures that you didn't foresee.
>>
>> Cheers
>>
>>
>>
>>

Received on Monday, 30 December 2019 15:52:15 UTC