The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 |
Newsgroups: mozilla.dev.security
From: Sid Stamm <s...@mozilla.com>
Date: Mon, 06 Apr 2009 10:12:49 -0700
Local: Mon, Apr 6 2009 1:12 pm
Subject: Re: Content Security Policy - final call for comments
On 4/6/09 3:56 AM, Gervase Markham wrote:
> - When might we see the "Refinements" section with the JS/eval changes? The content is in the other document, but most likely we'll be moving > Or is that the other document? that to the wiki too (I've linked to the description doc in the mean time). > - What happens if a Report-URI encounters a redirect? We should say Personally, I don't like the idea of honoring redirects for logging... > specifically in the spec what we do, and I think we should honour it. > This would allow us to do "all reports must be sent to the same host > that served the protected content" while still allowing people to set it > up so that the logging server was a separate machine. if a meta tag can be injected into a page (with a CSP header or not) and the site hosts an open redirect, suddenly cookies can be stolen from all visitors to a site. > - Would it not be more flexible, with negligible change in While it's true that this would be easy to implement, I think we need to > implementation complexity, to make report-uri multi-valued? We have to > support multiple values anyway. set a limit. We don't want to spawn off 100 requests every time a policy is violated. If that happens, attackers could leverage the reporting mechanism in CSP to flood a network with traffic. I'm not convinced that widespread use will demand more than two report URIs, and it's not difficult to set up that report URI recipient service to fork copies to multiple other destinations. > - "but a declared (unexpanded) policy always has the "allow" directive." I think the intention for requiring the allow directive was to force the > I think you need to make it more clear that "allow" is mandatory. But > what was the logic behind making it so? Why not assume "allow *", which > is what browsers do in the absence of CSP anyway? policy-writer into writing out the default case to minimize possibility for false assumptions. I'm not sure though. > - The formal syntax uses "<host-expr-list>" but it's undefined in that Nope... that's a mistake, should be "<source-list>". > formal section. Is that intentional? > - Should there be a space or other separator in the middle of Indeed. ";" > "<allow-directive><directive-list>"? > - The Violation Report Sample has: You're right, a full URI would be appropriate there. The wiki was > "<blocked-uri>some_image.png</blocked-uri>". Given that the directive > blocked was a "self" directive, I would expect some_image.png to be on > another host, and therefore for a full URI to be provided. (This is > vital for trying to find out who is behind the content injection.) What > have I missed? actually parsing out the http://evil.com/ part from both references to "some_image.png" and omitting it... weird. Thanks for the comments! You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||