Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP: Allow directive references. #219

Open
mikewest opened this issue Mar 19, 2015 · 5 comments
Open

CSP: Allow directive references. #219

mikewest opened this issue Mar 19, 2015 · 5 comments
Labels
CSP
Milestone
CSP 3

Comments

@mikewest
Copy link
Member

Rather than repeating hosts all over the place, we could shrink headers (in a backwards incompatible fashion :( ) by allowing one directive to reference another. That is, instead of:

default-src 'none'; \
    img-src example.com not-example.com really-not-example.com \
    script-src example.com not-example.com really-not-example.com \
    style-src example.com not-example.com really-not-example.com

we could conceivably write:

default-src 'none'; \
    img-src example.com not-example.com really-not-example.com \
    script-src 'img-src'
    style-src 'img-src'

or something similar.
@jonathanKingston
Copy link
Contributor

@mikewest as part of writing a post the CSP pinning feature I had the idea:

Perhaps this directive might also lead to CSP directives being able to be loaded externally via some form of manifest file, the header could then just contain the integrity of the file; that way as directives become more complex the overhead doesn’t increase exponentially.

Would it make more sense instead of making CSP more complex just allowing the CSP to just contain the integrity of an external CSP file / manifest?

@mikewest mikewest added the CSP label Mar 20, 2015
@mikewest
Copy link
Member Author

@jonathanKingston: We've certainly talked about that a lot on the list; the general consensus has been that doing a synchronous request before loading a webpage was too high a price to pay for the feature, but it's potentially reasonable to look back at that discussion again to see if we made the right decision, given how CSP is being used in the wild.

@mikewest mikewest added this to the CSP 3 milestone Mar 20, 2015
@jonathanKingston
Copy link
Contributor

@mikewest I will raise this again on the mailing list, as you say due to usage it might be worth looking into again (I'll not be upset if it gets shot down).

@annevk
Copy link
Member

annevk commented Mar 26, 2015

Does HTTP/2 header compression not take care of this? Not sure the added complexity is worth it.

@briansmith
Copy link

A CSP2 implementation will reject/ignore "script-src 'img-src'" and "style-src 'img-src'" so this is not a backward-compatible change. Like Anne mentioned, it seems like HTTP/2 header compression may solve this problem well enough.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CSP
Projects
None yet
Milestone
CSP 3
Development

No branches or pull requests
4 participants
@mikewest @briansmith @jonathanKingston @annevk