[webkit-dev] New feature: Content-Security-Policy
abarth at webkit.org
Thu May 5 23:27:44 PDT 2011
In the interest of setting a positive example, I thought I should send
out an email about the new feature I'm working on. Ideally, I would
have sent out this email earlier in the development cycle, but the
policy didn't exist at that time.
== Overview ==
Content-Security-Policy (CSP) is a way for web sites to mitigate some
of their security vulnerabilities by disabling unused browser
functionality. For example, a web site can restrict script execution
to only external scripts fetched from a whitelist of URLs, mitigating
cross-site scripting vulnerabilities.
Web sites can supply a Content-Security-Policy for a document either
in an HTTP header or in an HTML <meta> element in the document. Over
time, we expect to add more directives to the policy language, but for
the moment we're focusing on helping web sites mitigate cross-site
== Community Interest ===
Mozilla is strongly interested in implementing CSP. They've been
working on the idea for a couple of years and have shipped an
experimental implementation in Firefox 4. There's also significant
interest from major web site operators, most publicly from Twitter:
The general approach of content restrictions (of which CSP is one
design) has also been thoroughly analyzed by academics as well as by
white-hat security researchers.
The chrome-team has also expressed interest in using CSP internally to
improve the security of some of Chrome's HTML-based UI and of its
extension system. Currently, Chrome's bookmark manager is using CSP
to mitigate cross-site scripting.
== Standards ==
The appropriate standards forum for discussing Content-Security-Policy
is the W3C's public-web-security mailing list:
The most recent version of the spec can be found at
The W3C staff have circulated a draft charter for a web security
working group which would include standards-track work on CSP, but the
working group has not yet been formed.
== Development Plan ==
You can follow the implementation of Content-Security-Policy by adding
yourself to the CC list of the meta bug:
I'm developing the feature using the experimental name X-WebKit-CSP.
My plan is to track the specification as it evolves. When the
specification appears to be stable, we'll rename X-WebKit-CSP to
Content-Security-Policy and have some cake.
More information about the webkit-dev