CSP: Allow directive references.

[mikewest]

Rather than repeating hosts all over the place, we could shrink headers (in a backwards incompatible fashion :( ) by allowing one directive to reference another. That is, instead of:

default-src 'none'; \
    img-src example.com not-example.com really-not-example.com \
    script-src example.com not-example.com really-not-example.com \
    style-src example.com not-example.com really-not-example.com

we could conceivably write:

default-src 'none'; \
    img-src example.com not-example.com really-not-example.com \
    script-src 'img-src'
    style-src 'img-src'

or something similar.

[jonathanKingston]

@mikewest as part of writing a post the CSP pinning feature I had the idea:

Perhaps this directive might also lead to CSP directives being able to be loaded externally via some form of manifest file, the header could then just contain the integrity of the file; that way as directives become more complex the overhead doesn’t increase exponentially.

Would it make more sense instead of making CSP more complex just allowing the CSP to just contain the integrity of an external CSP file / manifest?

[mikewest]

@jonathanKingston: We've certainly talked about that a lot on the list; the general consensus has been that doing a synchronous request before loading a webpage was too high a price to pay for the feature, but it's potentially reasonable to look back at that discussion again to see if we made the right decision, given how CSP is being used in the wild.

[jonathanKingston]

@mikewest I will raise this again on the mailing list, as you say due to usage it might be worth looking into again (I'll not be upset if it gets shot down).

[annevk]

Does HTTP/2 header compression not take care of this? Not sure the added complexity is worth it.

[briansmith]

A CSP2 implementation will reject/ignore "script-src 'img-src'" and "style-src 'img-src'" so this is not a backward-compatible change. Like Anne mentioned, it seems like HTTP/2 header compression may solve this problem well enough.