Scripting Policy sketch. from Mike West on 2020-01-08 (public-webappsec@w3.org from January 2020)

From: Mike West <mkwst@google.com>
Date: Wed, 8 Jan 2020 11:16:29 +0100
To: Web Application Security Working Group <public-webappsec@w3.org>
Message-ID: <CAKXHy=cQS+Pgq3vbCA+9zZtBQ6Q3nzZ8OGKOeoQhQQgee8nuDw@mail.gmail.com>

Hey folks,

At TPAC last year, we discussed
<https://github.com/w3c/webappsec/blob/master/meetings/2019/2019-09-TPAC-minutes.md#csp>
the CSP Next proposal <https://github.com/mikewest/csp-next> in a little
bit of detail. It seemed like there was general approval of the vague
contours of the idea, so I took some time to sketch it out in a little more
detail. I'd appreciate feedback (directional and detail!) on
https://mikewest.github.io/csp-next/scripting-policy.html.

This addresses the XSS mitigation portion of CSP. It doesn't touch the
confinement portions of CSP discussed in
https://github.com/mikewest/csp-next/#resource-confinement. I'm quite a bit
less clear on what that would actually need to look like. If y'all have
ideas (especially those rooted in actual experience deploying
confinement-oriented policies), I'd love to hear about them.

Thanks!

-mike

Received on Wednesday, 8 January 2020 10:16:44 UTC