Brandon Sterne wrote:
I'd like to take a quick step back before we proceed further with the
modularization discussion. I think it is fine to split CSP into
modules, but with the following caveats:
1. Splitting the modules based upon different threat models doesn't seem
to be the right approach. There are many areas where the threats we
want to mitigate overlap in terms of browser functionality. A better
approach, IMHO, is to create the modules based upon browser
capabilities. With those capability building blocks, sites can then
construct policy sets to address any given threat model (including ones
we haven't thought of yet).
Part of the value of the threat-centric module approach is it
facilitates analysis of the defensive efficacy of CSP directives. This
can point us to additional policies that are needed for more complete
coverage, and reveal policies that are superfluous (I'm not saying any
existing proposed policy is useless) and browser vendors need not
implement. However, as Lucas rightly pointed out, the correctness of
this analysis is dependent on our awareness and understanding of threats.
If browser implementers are to pick and choose among CSP policies to
support (besides XSS related ones, we agree), there should ideally be
some reference that indicates the combined set of policies that are
needed to mitigate each threat. This can aid browser implementers in
deciding which policies to implement. For instance, if some browser
vendor wants to support CSP protection against CSRF attacks, the vendor
should know that it's of limited use to only strip cookies from form
submissions; form action URIs must also be constrained to a set of
trusted origins.
Perhaps the spec can have an appendix recommending sets of directives
for several significant threats, based on some thorough analysis of each
threat, citing known capabilities and limitations of each set. This can
benefit the spec writers, browser implementors and web developers.
Mike
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security