Re: Content Security Policy - final call for comments

2009-06-30 Thread Brandon Sterne 
(copying the dev-security newsgroup)

Hi Ignaz,

Thanks for the feedback.  The spoofed security indicators from an
injected CSP meta tag is a fair point and one I haven't thought of
previously.  I'm not sure if browsers will implement such visual
indicators for CSP because it may confuse users.  This is still a valid
point, though, and we've struggled with the idea of meta tag policy
from the beginning.  The idea is to enable sites which can't set headers
to use CSP, but the reward might not be worth the risk.  In fact, Sid,
one of the engineers implementing CSP has proposed removing this from
the design:
http://blog.sidstamm.com/2009/06/csp-with-or-without-meta.html

If there are no major objections to doing so, it looks like you'll get
your way :-)

Cheers,
Brandon


ignazb wrote:
 Hello,
 
 I just read some of the documentation about CSP and I must say it
 looks promising. However, I think there are some flaws in the spec.
 -) I think it is a bad idea to allow the use of a meta tag for CSP
 policy-declaration. If, for example, you decided to show a symbol in
 the browser that indicates that the site is CSP secured, it would not
 be possible to tell whether the CSP policy comes from the server via a
 HTTP header or from an attacker who just injected it (unless, of
 course, you display where the CSP policy came from). So if a user
 visits a site and sees it is CSP secured (although an attacker
 inserted the tag allowing the execution of scripts from his site) she
 could decide to turn on JavaScript although the site is inherently
 unsafe.
 -) There should probably also be a way to restrict the contents of
 meta tags in a website. If, for example, an attacker inserts a meta
 for a HTTP redirect, he could redirect users to his own website, even
 with CSP enabled.
 
 -- Ignaz
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security

Re: Content Security Policy - final call for comments

2009-06-30 Thread Bil Corry 
One option is to meet in the middle: by default the meta tag is disabled, but 
the hosting provider can enable it via the X-Content-Security-Policy header; 
that way those who want the risk of it can still choose to use it.

Otherwise, +1 for removing meta tag support.


- Bil


Brandon Sterne wrote on 6/30/2009 10:50 AM: 
 (copying the dev-security newsgroup)
 
 Hi Ignaz,
 
 Thanks for the feedback.  The spoofed security indicators from an
 injected CSP meta tag is a fair point and one I haven't thought of
 previously.  I'm not sure if browsers will implement such visual
 indicators for CSP because it may confuse users.  This is still a valid
 point, though, and we've struggled with the idea of meta tag policy
 from the beginning.  The idea is to enable sites which can't set headers
 to use CSP, but the reward might not be worth the risk.  In fact, Sid,
 one of the engineers implementing CSP has proposed removing this from
 the design:
 http://blog.sidstamm.com/2009/06/csp-with-or-without-meta.html
 
 If there are no major objections to doing so, it looks like you'll get
 your way :-)
 
 Cheers,
 Brandon
 
 
 ignazb wrote:
 Hello,

 I just read some of the documentation about CSP and I must say it
 looks promising. However, I think there are some flaws in the spec.
 -) I think it is a bad idea to allow the use of a meta tag for CSP
 policy-declaration. If, for example, you decided to show a symbol in
 the browser that indicates that the site is CSP secured, it would not
 be possible to tell whether the CSP policy comes from the server via a
 HTTP header or from an attacker who just injected it (unless, of
 course, you display where the CSP policy came from). So if a user
 visits a site and sees it is CSP secured (although an attacker
 inserted the tag allowing the execution of scripts from his site) she
 could decide to turn on JavaScript although the site is inherently
 unsafe.
 -) There should probably also be a way to restrict the contents of
 meta tags in a website. If, for example, an attacker inserts a meta
 for a HTTP redirect, he could redirect users to his own website, even
 with CSP enabled.

 -- Ignaz
 ___
 dev-security mailing list
 dev-security@lists.mozilla.org
 https://lists.mozilla.org/listinfo/dev-security
 


___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security