CSP policy questions

Thu, 07 Oct 2010 12:45:56 -0700
I have question on CSP policies that I can't easily find an answer for in the spec <https://wiki.mozilla.org/Security/CSP/Specification> (or I'm just blind), and also I don't have my head wrapped around all the facets of various web vulns.. 


Ok, suppose I have this origin i wish to protect "https://www.example.com";, the 
origins "http://example.com"; and  "https://example.com"; redirect to the former, 
and the former loads "content" of various forms from several subdomains and 
other domains, e.g...


  sub1.example.com
  sub2.example.com
  foo.otherexample.com
  bar.yetanotherexample.com



If the initial default policy we're interested in for "https://www.example.com"; 
is...



  X-Content-Security-Policy:               \
     allow 'self'                          \     -- returns HTML
     https://sub1.example.com              \     --    "    JS, CSS
     https://sub2.example.com              \     --    "    IMGs
     foo.otherexample.com                  \     --    "    IMGs
     bar.yetanotherexample.com ;           \     --    "    IMGs
     frame-ancestors 'self'



..and the listed origins return the type of content noted in the comments on 
the right, then..



1. should one consider setting CSP policies for the other origins one controls, 
eg sub1.example.com and/or sub1.example.com ?  Eg if one is paranoid and wants 
to prevent anything from "working" if one loads directly from one of those 
origins ("just in case"), then one could imagine having them emit a "allow 
'none'" policy of their own.



2. the other origins not under example.com's admin control might for whatever 
reason emit their own CSP policies.



3. how do any CSP policies emitted by these origins other than 
"https://www.example.com"; interact with the latter's policy? The CSP draft spec 
presently explicitly says (emphasis added)..


  "When multiple instances of the X-Content-Security-Policy HTTP header
   are present in /an HTTP response/..."



So does that mean that that "Policy Refinements with Multiple Headers" doesn't 
apply to the scenario in this message? Or is "policy refinement" intended to 
apply in the above case (and similar ones)?



thanks,

=JeffH



_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security






















					Reply via email to