|
@mikewest | |||||
|
github.com/mikewest/csp-n… is a thought experiment: what if we broke CSP in half, removed some esoteric options, and built policy primitives that specifically targeted XSS on the one hand, and resource confinement on the other?
|
||||||
|
||||||
|
Mike West
@mikewest
|
15. srp |
|
A hypothetical `Scripting-Policy: nonce="number-used-once-goes-here"` could be substantially more focused, and simpler for developers to understand and deploy.
A similarly speculative `Confinement-Policy` could deal only with Fetch, likewise providing clarity.
|
||
|
|
||
|
Mike West
@mikewest
|
15. srp |
|
I'm not actually convinced this is worth us collectively spending time on (CSP _exists_, after all, and there are pressing problems), but some conversation with clever folks like @arturjanc, @we1x, and @mikispag makes it clear that this is at least worth discussing a bit.
WDYT?
|
||
|
|
||
|
Mike West
@mikewest
|
15. srp |
|
(Also, this was just a fun way to procrastinate a bit on the 17 other things I'm supposed to be doing this week. 😭)
|
||
|
|
||
|
Lukasz Olejnik
@lukOlejnik
|
15. srp |
|
"ARTUR is a silly suggestion that is obviously a bad idea as specified". I see what you did there. You thought of it from the very beginning didn't you?
|
||
|
|
||
|
Mike West
@mikewest
|
15. srp |
|
This has been in the back of several people's heads for years. I don't think the direction would be a surprise to anyone who's been paying attention to various conversations in WebAppSec. :)
|
||
|
|
||
|
Rhy Moore
@morewry
|
15. srp |
|
What if we added specific sanitization APIs to the DOM?
Literally every time I have to go look into what a new framework or library is doing under the hood for that or try to find a standalone library for it, I wish wistfully for this.
|
||
|
|
||
|
Mike West
@mikewest
|
15. srp |
|
@freddyb and @cure53berlin were looking into that. It just hasn’t bubbled up anyone’s list far enough to spend the time on it that’s necessary.
|
||
|
|
||
|
Craig Francis
@craigfrancis
|
15. srp |
|
I like the Scripting-Policy part, which gives a good focus on XSS (and should be where most website developers start); but Resource Confinement is probably more powerful with the current CSP syntax (maybe with some bits deprecated).
|
||
|
|
||