Re: Cross-Origin Resource Embedding Restrictions

2011-03-01 Thread Brandon Sterne 
I do think Content Security Policy offers a good opportunity to address
the use cases Anne brought up.

CSP already has a directive, frame-ancestors, that restricts the context
in which a resource can be embedded as a iframe, frame or object
to a list of origins.  Perhaps we should expand the scope of the
directive to include other elements (and change the directive name to
something less frame-centric).

I'd personally support such a change.

-Brandon


On 03/01/2011 12:32 AM, Adam Barth wrote:
 +dveditz and +bsterne because they have strong opinions about CSP.
 
 Adam
 
 
 On Tue, Mar 1, 2011 at 12:26 AM, Adam Barth w...@adambarth.com wrote:
 On Mon, Feb 28, 2011 at 11:57 PM, Maciej Stachowiak m...@apple.com wrote:
 For what it's worth, I think this is a useful draft and a useful 
 technology. Hotlinking prevention is of considerable interest to Web 
 developers, and doing it via server-side Referer checks is inconvenient and 
 error-prone. I hope we can fit it into Web Apps WG, or if not, find another 
 goo home for it at the W3C.

 One thing I am not totally clear on is how this would fit into CSP. A big 
 focus for CSP is to enable site X to have a policy that prevents it from 
 accidentally including scripts from site Y, and things of that nature. In 
 other words, voluntarily limit the embedding capabilities of site X itself 
 But the desired feature is kind of the opposite of that. I think it would 
 be confusing to stretch CSP to this use case, much as it would have been 
 confusing to reuse CORS for this purpose.

 There's been a bunch of discussion on the public-web-security mailing
 list about the scope of CSP.  Some folks think that CSP should be a
 narrow feature targeted at mitigating cross-site scripting.  Other
 folks (e.g., as articulated in
 http://w2spconf.com/2010/papers/p11.pdf) would like to see CSP be
 more of a one-stop shop for configuring security-relevant policy for a
 web site.

 From-Origin is closely related to one of the proposed CSP features,
 namely frame-ancestors, which also controls how the given resource can
 be embedded in other documents:

 https://wiki.mozilla.org/Security/CSP/Specification

 Aside from the aesthetic questions, I'd imagine folks will want to
 include a list of permissible origins in the From-Origin header (or
 else they'd have to give up caching their resources).  CSP already has
 syntax, semantics, and processing models for lists of origins,
 including wildcards.  At a minimum, we wouldn't want to create a
 gratuitously different syntax for the same thing.

 Adam


 On Feb 28, 2011, at 11:35 PM, Anne van Kesteren wrote:
 The WebFonts WG is looking for a way to prevent cross-origin embedding of 
 fonts as certain font vendors want to license their fonts with such a 
 restriction. Some people think CORS is appropriate for this, some don't. 
 Here is some background material:

 http://weblogs.mozillazine.org/roc/archives/2011/02/distinguishing.html
 http://annevankesteren.nl/2011/02/web-platform-consistency
 http://lists.w3.org/Archives/Public/public-webfonts-wg/2011Feb/0066.html


 More generally, having a way to prevent cross-origin embedding of 
 resources can be useful. In addition to license enforcement it can help 
 with:

 * Bandwidth theft
 * Clickjacking
 * Privacy leakage

 To that effect I wrote up a draft that complements CORS. Rather than 
 enabling sharing of resources, it allows for denying the sharing of 
 resources:

 http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html

 And although it might end up being part of the Content Security Policy 
 work I think it would be useful if publish a Working Draft of this work to 
 gather more input, committing us nothing.

 What do you think?

 Kind regards,


 --
 Anne van Kesteren
 http://annevankesteren.nl/

Re: [Widgets] Mozilla open apps

2010-10-20 Thread Brandon Sterne 
On 10/20/2010 02:11 AM, Scott Wilson wrote:
 I've just had a look at this:
 
 https://apps.mozillalabs.com/
 
 In some respects this is very much what we are aiming for (apps using 
 HTML+JS+CSS) however it proposes a new proprietary app manifest format for 
 Widgets that is almost identical to PC, plus an auto-update spec (that isn't 
 Widget Updates). So a lot of reinventing the wheel.
 
 Does anyone here have any contact with the project?
 
 S

I know Mike Hanson has done some work on this project.  I'll direct him
to this thread.

-Brandon

Content Security Policy - Updated Spec

2009-04-07 Thread Brandon Sterne 
Hello All,

Last summer Mozilla introduced potential Working Group items, among
which was Content Security Policy.  We have done a lot of work refining
this proposal and I would like to re-submit it for comment and critique:

https://wiki.mozilla.org/Security/CSP
https://wiki.mozilla.org/Security/CSP/Spec

Robust mitigation of code injection is the goal of the proposal.  Since
its original submission, the model has changed.  The current proposed
model offers restrictions (triggered via HTTP header or meta tag) on
additional types of content that may be loaded in web applications (e.g.
images, CSS, object, etc.).  Further restrictions on JavaScript use
(e.g. eval(), new Function, etc.) have also been added.

Again, this proposal is not a fait accompli and is currently just a
straw person, though nightly builds of Firefox may introduce a test
implementation.  Feedback on any aspect of the proposal is more than
welcome.  We would like to explore the possibility of creating an open
standard for CSP, so any recommendations toward that end would also be
greatly appreciated.

Note: this proposal is distinct from the work that is being done on the
Origin (name TBD) header [1][2].  CSP and Origin (name TBD) are
orthogonal and address different issues.

Best regards,

Brandon Sterne
Mozilla Security Group

[1] http://tools.ietf.org/html/draft-abarth-origin-00
[2] https://wiki.mozilla.org/Security/Origin