abarth at webkit.org
Sun Mar 17 23:38:55 PDT 2013
On Sun, Mar 17, 2013 at 8:56 PM, Geoffrey Garen <ggaren at apple.com> wrote:
>> Unfortunately, you can't implement CSP that way.
>> Consider the case of
>> two same-origin iframes A and B. Suppose A has a restrictive CSP
>> policy (say that bans everything) and B doesn't. If B uses the DOM to
>> insert a script element into A, then CSP should block that script
>> element from executing. Stripping script tags at parse time won't.
> FWIW, I interpreted the phrases "enforcing a directive prevents the protected resource from performing certain actions"
That text is non-normative. The introductory phrase to that sentence
is "generally speaking." The normative requirements are more
> and "Enforcing a CSP policy should not interfere with the operation of user-supplied scripts" as indicating that CSP applied to the resource as loaded from its origin only, and not to other scripts operating on the resulting DOM.
In that sentence, "user-supplied scripts" is intended to refer to
"user scripts" or "content scripts" from the user agent's extension
system. There isn't a great way to refer to those concepts in specs
because they're not really part of the open web platform.
There's a SHOULD-level requirement that the user script act as normal.
That requirement is somewhat aspirational in the sense that no user
agent implements it perfectly. We've made some improvements in that
resource loads initiated by content scripts correctly bypass the
page's CSP policy, but we have more work to do in order to make inline
the page's CSP policy.
> I noticed that the CSP specification was still in draft form. Is it too late to modify this constraint?
Content-Security-Policy 1.0 is a W3C Candidate Recommendation. The
WebAppSec working group is working on Content-Security-Policy 1.1. If
you'd like to contribute your feedback on CSP, please join the
WebAppSec working group. Thus far Apple has not joined the working
group and therefore hasn't been able to contribute to the standard.
I'm sure the working group would be interested in your point of view.
However, I'm sorry that I'm unable to take technical feedback outside
the context of the working group due to IPR concerns.
More information about the webkit-dev