Hi Sid,
actually, while I read the spec recommendation, one thing immediately came
up my mind: Why only add protection to HTML content?
To my understanding a UA could implement CSP processing not only to file
type handlers like "text/html", but *any* file type handler should process
CSP directives.
To protect media files, CSP directives should be considered from a different
perspective: "Which containers are allowed to display this/my content?"
The "allow self" directive could be used, for example, to protect images,
JavaScript libraries or even web pages from being hijacked by other
websites. (Protecting web pages would have the same effect as using Internet
Explorer 8's "X-Frame-Options: Deny" HTTP header
[http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.aspx#_replace])
Imagine, some foreign website links to a protected image. Then the
"image/jpeg" handler would create a HTTP request for retrieving this
resource. As soon as the HTTP headers for the image arrive, the image
handler can check for a CSP restriction and block the content from being
displayed.
Well, protecting intellectual property this way is not fail-safe. It
requires a UA supporting CSP in the abovementioned way. But as it says in
the recommendation:
"CSP is not intended to be a main line of defence, but rather one of the
many layers of security"
and
"It should be made clear that it is not the intent of CSP to prevent
navigation to arbitrary sites,
but rather to restrict the types of script, media, and other resources
that may be used on a web page."
...your thoughts?
Axel Dahmen
www.axeldahmen.de
-----------------------
"Sid Stamm" <[email protected]> schrieb im Newsbeitrag
news:[email protected]...
Hi Axel,
I agree that we should consider what CSP can do to protect other types
of content. We mainly stuck with HTML at first since it's the most
common "document" format on the Web.
This is the perfect place to start a discussion about how to apply CSP
to other types of content. What are your thoughts?
-Sid
On 03/06/2010 12:29 PM, Axel Dahmen wrote:
Hi,
I was thinking that it was a nifty idea to use CSP also for non-HTML
content. Applying it to other content, like images or JavaScript it
might be used to serve for some kind of low-level rights management.
Would you like to discuss this type of application of CSP?
Axel Dahmen
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
