On 2/28/10 6:43 PM, Axel Dahmen wrote: > Actually I still can't find a fair reason for omitting the option of > allowing HTML <meta> tags to provide CSP directives. > > * By means of the intersection algorithm, a <meta> CSP directive can > only tighten security but not loosen. > > * Disallowing <meta> tags would cause a significant number of private > websites to not being able to use this security feature. Does someone > really want to exclude all these users from the spec? Just because it > would cause more effort implementing it? What's more important?
If we knew that there really were "all these users" clamoring to use CSP it might be worth working through the complexities, but until we get a working version out there we won't really know what works and what doesn't in the real world. It is far, far easier to add <meta> support later if we need it than to remove a feature if we decide it's not working out. Not too worried about injected <meta> tags, we just have to make sure it can only restrict the page further (which we already have to do to support multiple HTTP headers). How do we handle a <meta> tag that comes after some content which a policy should have regulated? If we decide to only honor <meta> tags that "come first" then injecting such a header can disable CSP. If we enforce CSP from that point on there's still page content that avoided the policy. We could re-parse the entire page and enforce things the second time around but the injection may have been able to do its damage already. This is not an academic question, I've seen a lot of pages with malware content injected above the normal page content. Is "best effort" CSP enforcement good enough? Would we be fostering a false sense of security by supporting <meta>? "effort" isn't why we cut it. The policy is designed to protect the integrity of the content and it's much easier to reason about its security properties and effectiveness when it's delivered external to that content. If CSP turns out to be an effective and accepted solution (no inline scripts is pretty radical) and there's a need for <meta> support we can add that during the standardization process. At the moment it's hard to imagine who would benefit from it, though. Yes, I know there are a lot of people who can't change their headers, but do those people run web applications that could suffer from XSS and other attacks CSP addresses? -Dan Veditz _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
