Re: Comments on the Content Security Policy specification

2009-10-21 Thread Gervase Markham 

On 20/10/09 21:20, Sid Stamm wrote:

While I agree with your points enumerated above, we should be really
careful about scope creep and stuffing new goals into an old idea.  The
original point of CSP was not to provide a global security
infrastructure for web sites, but to provide content restrictions and
help stop XSS (mostly content restrictions).  Rolling all sorts of extra
threats like history sniffing into CSP will make it huge and complex,
and for not what was initially desired.  (A complex CSP isn't so bad if
it were modular, but I don't think 'wide-reaching' was the original aim
for CSP).


I think we need to differentiate between added complexity in syntax and 
added complexity in implementation.


If we design the syntax right, there is no need for additional CSP 
directives to make the syntax more complicated for those who neither 
wish to know nor care about them.


If we modularise CSP correctly, there is no necessity that additional 
ideas lead to greater implementation complexity for those browsers who 
don't want to adopt those ideas (yet).


I think it would be good if we didn't have to invent a new header for 
each idea of ways to lock down content. I think it would be great if 
people could experiment with Content-Security-Policy: x-my-cool-idea, 
and see if it was useful before standardization. Any idea which is a 
policy for content security should be in scope for experimentation.


I agree with your concerns about scope creep, but I don't think making 
sure the syntax is forwards-compatible requires a fundamental redesign. 
And I don't think allowing the possibility of other things means we are 
on the hook to implement them, either for Firefox 3.6 or for any other 
release.


We may wish to say OK, CSP 1.0 is these 3 modules, so that a browser 
could say I support CSP 1.0 without having to be more specific and 
detailed. But given that CSP support is unlikely to be a major marketing 
sell, I don't think that's a big factor.


Gerv
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security

Re: Comments on the Content Security Policy specification

2009-10-21 Thread Sid Stamm 
On 10/21/09 2:49 AM, Gervase Markham wrote:
 I think we need to differentiate between added complexity in syntax and
 added complexity in implementation.
 
 If we design the syntax right, there is no need for additional CSP
 directives to make the syntax more complicated for those who neither
 wish to know nor care about them.

Additional Directives are not a problem either, unless they're mandatory
for all policies (which is not the case ... yet).  I'm still more in
favor of extension via new directives than extension by modifying
existing ones: this seems more obviously backward compatible and in
reality probably more forward compatible too.

 If we modularise CSP correctly, there is no necessity that additional
 ideas lead to greater implementation complexity for those browsers who
 don't want to adopt those ideas (yet).

Agreed.   I'm not against modularization at all, I just want to be
careful so that it is specked out that way -- we just need to keep this
in mind.

 I think it would be good if we didn't have to invent a new header for
 each idea of ways to lock down content. I think it would be great if
 people could experiment with Content-Security-Policy: x-my-cool-idea,
 and see if it was useful before standardization. Any idea which is a
 policy for content security should be in scope for experimentation.

Right.  This was proposed a while back (I don't recall the thread off
hand) as one header to convey all relevant security policies.  Something
like Accept-Policies I think.  If we want to turn CSP into that, we
could, but it surely wasn't designed from the ground up with that in mind.

 I agree with your concerns about scope creep, but I don't think making
 sure the syntax is forwards-compatible requires a fundamental redesign.
 And I don't think allowing the possibility of other things means we are
 on the hook to implement them, either for Firefox 3.6 or for any other
 release.

Point taken.  I'm on board for modularization so long as we don't have
to completely redesign the policy syntax.

I'm also a bit worried that we might lose sight of the original goals of
CSP and so I wanted to bring up the fact that we have wandered far far
away from where CSP started.  If everyone is okay with the diversion, I
see no cause for concern.

 We may wish to say OK, CSP 1.0 is these 3 modules, so that a browser
 could say I support CSP 1.0 without having to be more specific and
 detailed. But given that CSP support is unlikely to be a major marketing
 sell, I don't think that's a big factor.

What?  No CSP 1.0 Compatible! stickers for my laptop?  Or CSP
inside?  :)

-Sid
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security