Gervase Markham wrote on 7/30/2009 9:06 AM: 
> On 29/07/09 23:23, Ian Hickson wrote:
>>   * Remove external policy files.
> I'm not sure how that's a significant simplification; the syntax is
> exactly the same just with an extra level of indirection, and if that
> makes things too complicated for you, don't use them.

If both a policy definition and a policy-uri field are present, CSP fails 
closed.  Not allowing external policy files means avoiding this issue entirely 
-- one less point of potential failure.

That said, the external policy file may actually make CSP easier to deploy for 
some organizations.  If authors are responsible for including the CSP header 
via a dynamic language, but another person is responsible for 
creating/maintaining the actual CSP policy definitions, then having them in 
multiple external policy files may make it easier to separate the duties.

>>   * If there are multiple headers, fail to fully closed.
> How is this a simplification? It means that if there are multiple people
> (e.g. an ISP and their customer) who want input into the policy, the ISP
> or the customer has to manually merge and intersect the policies to make
> one header, rather than the browser doing it. In other words, the
> intersection code gets written 1000 times, often badly, rather than
> once, hopefully right.

Wouldn't an ISP have to leave all the restrictions wide-open?  Since 
intersecting policies can only result in a more restrictive policy, I don't 
think an ISP could lock down anything as it would disallow it for all of their 
client sites.  The only feature of intersecting policies that I see them taking 
advantage of is the report-uri, so that they get a report too.  Or maybe I just 
need to see a practical example of a policy that an ISP would implement.

>>   * Combine img-src, media-src, object-src, frame-src
> But then the combined lotsofthings-src would have to be set to the
> intersection of all the above, which means e.g. far more potential
> sources of objects (in particular) than you might otherwise want.
> "object-src: none" sounds to me like a great idea for a load of sites
> which also want to display images.
> OTOH, "lotsofthings-src:" would still be a
> big improvement over now, where we effectively have "lotsofthings-src:
> all".

I like the granular control of img-src, media-src, etc, but wouldn't be opposed 
to a single directive that still achieves that:

        X-Content-Security-Policy: allow self; source host1.tld host2.tld 
object host3.tld image host4.tld;

Or maybe it's still too confusing?

>>   * Drop the "allow" directive, default all the directives to "self"
> That's an interesting idea.

I like this idea.

- Bil

dev-security mailing list

Reply via email to