Re: A modest content security proposal.

On Mon, Jul 15, 2019 at 11:03 AM Mike West <mkwst@google.com> wrote:

> Hey folks,
>
> As part of a concerted effort to procrastinate on things I actually need
> to get done this week, I sketched out a proposal around an iteration on CSP
> that we've talked about in various venues. TL;DR: Let's break it in half,
> and throw away esoteric junk no one uses. :)
>
> https://github.com/mikewest/csp-next
>
> I'm not sure this is worth anyone spending significant amounts of time on
> at the moment, but it's been in the back of my head for a while, and I
> think it's at least worth discussing, even without concrete plans to
> actually work on it in the near future.
>
> Perhaps it might fuel some TPAC discussion later in the year? WDYT?
>

I think this is an appealing idea from the platform perspective. The two
main benefits I see are that it would be much harder to
misconfigure Scripting-Policy to remove its anti-injection protections
(compared to CSP), and that this would give us a path towards requiring
require certain valuable security restrictions in sensitive applications. A
new header would also give us a chance to remove a few other pain points of
CSP, which is nice.

The main concern I have is cross-browser support: for this to succeed we'd
need most browsers to ship this in the same decade :) Otherwise, developers
will either stick with CSP for broader browser support or decide to deploy
both mechanisms, which will be even more complex than enabling CSP alone.
The second challenge is prioritization -- there are several security fires
burning in various parts of the web platform, and this could potentially
wait until we've at least doused the flames of some of the other issues
(shipping COOP/COEP, Fetch Metadata, Trusted Types, etc.)

Overall, as long as there is agreement among browser vendors to do this, I
expect it will make developers' lives much easier in the long run.

Received on Monday, 15 July 2019 10:33:07 UTC