One option is to meet in the middle: by default the meta tag is disabled, but
the hosting provider can enable it via the X-Content-Security-Policy header;
that way those who want the risk of it can still choose to use it.
Otherwise, +1 for removing meta tag support.
- Bil
Brandon Sterne wrote on 6/30/2009 10:50 AM:
(copying the dev-security newsgroup)
Hi Ignaz,
Thanks for the feedback. The spoofed security indicators from an
injected CSP meta tag is a fair point and one I haven't thought of
previously. I'm not sure if browsers will implement such visual
indicators for CSP because it may confuse users. This is still a valid
point, though, and we've struggled with the idea of meta tag policy
from the beginning. The idea is to enable sites which can't set headers
to use CSP, but the reward might not be worth the risk. In fact, Sid,
one of the engineers implementing CSP has proposed removing this from
the design:
http://blog.sidstamm.com/2009/06/csp-with-or-without-meta.html
If there are no major objections to doing so, it looks like you'll get
your way :-)
Cheers,
Brandon
ignazb wrote:
Hello,
I just read some of the documentation about CSP and I must say it
looks promising. However, I think there are some flaws in the spec.
-) I think it is a bad idea to allow the use of a meta tag for CSP
policy-declaration. If, for example, you decided to show a symbol in
the browser that indicates that the site is CSP secured, it would not
be possible to tell whether the CSP policy comes from the server via a
HTTP header or from an attacker who just injected it (unless, of
course, you display where the CSP policy came from). So if a user
visits a site and sees it is CSP secured (although an attacker
inserted the tag allowing the execution of scripts from his site) she
could decide to turn on JavaScript although the site is inherently
unsafe.
-) There should probably also be a way to restrict the contents of
meta tags in a website. If, for example, an attacker inserts a meta
for a HTTP redirect, he could redirect users to his own website, even
with CSP enabled.
-- Ignaz
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security