[webkit-dev] New feature: Content-Security-Policy

Adam Barth abarth at webkit.org
Thu May 5 23:27:44 PDT 2011


In the interest of setting a positive example, I thought I should send
out an email about the new feature I'm working on.  Ideally, I would
have sent out this email earlier in the development cycle, but the
policy didn't exist at that time.

== Overview ==

Content-Security-Policy (CSP) is a way for web sites to mitigate some
of their security vulnerabilities by disabling unused browser
functionality.  For example, a web site can restrict script execution
to only external scripts fetched from a whitelist of URLs, mitigating
cross-site scripting vulnerabilities.

Web sites can supply a Content-Security-Policy for a document either
in an HTTP header or in an HTML <meta> element in the document.  Over
time, we expect to add more directives to the policy language, but for
the moment we're focusing on helping web sites mitigate cross-site
scripting.

== Community Interest ===

Mozilla is strongly interested in implementing CSP.  They've been
working on the idea for a couple of years and have shipped an
experimental implementation in Firefox 4.  There's also significant
interest from major web site operators, most publicly from Twitter:

http://engineering.twitter.com/2011/03/improving-browser-security-with-csp.html

The general approach of content restrictions (of which CSP is one
design) has also been thoroughly analyzed by academics as well as by
white-hat security researchers.

The chrome-team has also expressed interest in using CSP internally to
improve the security of some of Chrome's HTML-based UI and of its
extension system.  Currently, Chrome's bookmark manager is using CSP
to mitigate cross-site scripting.

== Standards ==

The appropriate standards forum for discussing Content-Security-Policy
is the W3C's public-web-security mailing list:

http://lists.w3.org/Archives/Public/public-web-security/

The most recent version of the spec can be found at
<https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html>.
 The W3C staff have circulated a draft charter for a web security
working group which would include standards-track work on CSP, but the
working group has not yet been formed.

== Development Plan ==

You can follow the implementation of Content-Security-Policy by adding
yourself to the CC list of the meta bug:

https://bugs.webkit.org/show_bug.cgi?id=53572

I'm developing the feature using the experimental name X-WebKit-CSP.
My plan is to track the specification as it evolves.  When the
specification appears to be stable, we'll rename X-WebKit-CSP to
Content-Security-Policy and have some cake.

Adam


More information about the webkit-dev mailing list