Allow CSP on HTML meta tags
I've read through the CSP specs (https://wiki.mozilla.org/Security/CSP/Spec#Source_Expression_List) and the Talk (https://wiki.mozilla.org/Talk:Security/CSP/Spec)... What I'm missing is a statement about allowing CSP directives in HTML meta tags. Use case: - My provider just provides the ability to upload HTML and related content, but they don't provide an option to manipulate the server's output to any degree. So configuring HTTP response headers is not possible here. However, I want to protect my web pages just like any other. So the only option I would have to get CSP applied would be through using HTML meta tags. Axel Dahmen ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Allow CSP on HTML meta tags
This would also allow for testing local files against CSP directives. --- Axel Dahmen keentok...@newsgroup.nospam schrieb im Newsbeitrag news:q_gdneegtdzj7rfwnz2dnuvz_tidn...@mozilla.org... I've read through the CSP specs (https://wiki.mozilla.org/Security/CSP/Spec#Source_Expression_List) and the Talk (https://wiki.mozilla.org/Talk:Security/CSP/Spec)... What I'm missing is a statement about allowing CSP directives in HTML meta tags. Use case: - My provider just provides the ability to upload HTML and related content, but they don't provide an option to manipulate the server's output to any degree. So configuring HTTP response headers is not possible here. However, I want to protect my web pages just like any other. So the only option I would have to get CSP applied would be through using HTML meta tags. Axel Dahmen ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Allow CSP on HTML meta tags
Axel Dahmen wrote on 2/28/2010 5:28 AM: I've read through the CSP specs (https://wiki.mozilla.org/Security/CSP/Spec#Source_Expression_List) and the Talk (https://wiki.mozilla.org/Talk:Security/CSP/Spec)... What I'm missing is a statement about allowing CSP directives in HTML meta tags. Use case: - My provider just provides the ability to upload HTML and related content, but they don't provide an option to manipulate the server's output to any degree. So configuring HTTP response headers is not possible here. However, I want to protect my web pages just like any other. So the only option I would have to get CSP applied would be through using HTML meta tags. CSP used to support meta policies, but was removed. You probably want to read through these: http://blog.sidstamm.com/2009/06/csp-with-or-without-meta.html http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/571f1495e6ccf822/cf15e2be59a72734?lnk=gstq=meta#cf15e2be59a72734 http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/c0f1a44e4fb98859/31465e3d46ccf806?lnk=gstq=meta#31465e3d46ccf806 http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/87ebe5cb9735d8ca/f9167000431aa6a4?lnk=gstq=meta#f9167000431aa6a4 http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/571f1495e6ccf822/5f75c00c023696bd?lnk=gstq=meta#5f75c00c023696bd http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/87ebe5cb9735d8ca/87796e2d9caeb36f?lnk=gstq=meta#87796e2d9caeb36f There's probably more: http://groups.google.com/group/mozilla.dev.security/search?group=mozilla.dev.securityq=metaqt_g=Search+this+group - Bil ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Allow CSP on HTML meta tags
Thanks, Bil, for enlightening me. Actually I still can't find a fair reason for omitting the option of allowing HTML meta tags to provide CSP directives. * By means of the intersection algorithm, a meta CSP directive can only tighten security but not loosen. * Disallowing meta tags would cause a significant number of private websites to not being able to use this security feature. Does someone really want to exclude all these users from the spec? Just because it would cause more effort implementing it? What's more important? Regards, Axel Dahmen - Bil Corry b...@corry.biz schrieb im Newsbeitrag news:mailman.5921.1267370334.4112.dev-secur...@lists.mozilla.org... Axel Dahmen wrote on 2/28/2010 5:28 AM: I've read through the CSP specs (https://wiki.mozilla.org/Security/CSP/Spec#Source_Expression_List) and the Talk (https://wiki.mozilla.org/Talk:Security/CSP/Spec)... What I'm missing is a statement about allowing CSP directives in HTML meta tags. Use case: - My provider just provides the ability to upload HTML and related content, but they don't provide an option to manipulate the server's output to any degree. So configuring HTTP response headers is not possible here. However, I want to protect my web pages just like any other. So the only option I would have to get CSP applied would be through using HTML meta tags. CSP used to support meta policies, but was removed. You probably want to read through these: http://blog.sidstamm.com/2009/06/csp-with-or-without-meta.html http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/571f1495e6ccf822/cf15e2be59a72734?lnk=gstq=meta#cf15e2be59a72734 http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/c0f1a44e4fb98859/31465e3d46ccf806?lnk=gstq=meta#31465e3d46ccf806 http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/87ebe5cb9735d8ca/f9167000431aa6a4?lnk=gstq=meta#f9167000431aa6a4 http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/571f1495e6ccf822/5f75c00c023696bd?lnk=gstq=meta#5f75c00c023696bd http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/87ebe5cb9735d8ca/87796e2d9caeb36f?lnk=gstq=meta#87796e2d9caeb36f There's probably more: http://groups.google.com/group/mozilla.dev.security/search?group=mozilla.dev.securityq=metaqt_g=Search+this+group - Bil ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security