Skip to content
Please note that GitHub no longer supports Internet Explorer.

We recommend upgrading to the latest Microsoft Edge, Google Chrome, or Firefox.

Learn more
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Interaction with CSP. #3

Open
mikewest opened this issue Jan 7, 2020 · 3 comments
Open

Interaction with CSP. #3

mikewest opened this issue Jan 7, 2020 · 3 comments

Comments

@mikewest
Copy link
Owner

@mikewest mikewest commented Jan 7, 2020

@arturjanc reasonably asks what the plan is when both a Scripting-Policy and CSP are present on the same page. Do we enforce both? So we ignore the CSP?

I think the right answer for the short term is to enforce both, assuming that the enforcement strategy and behavior for both is compatible. I think that should be the goal.

Ignoring the Content-Security-Policy seems like the wrong thing to do in the absence of something like the confinement bits of the explainer, but maybe it's a simpler story for developers?

@arturjanc

This comment has been minimized.

Copy link

@arturjanc arturjanc commented Jan 7, 2020

I wonder if it would make sense to only ignore certain directives in the CSP (e.g. script-src) if a scripting policy is enabled. This can, however, get confusing: do we only ignore them if there's an enforcing Scripting-Policy but not a report-only one, etc?

If we somehow found a satisfactory answer to this, I think it could be nice; that's because it would implicitly work like the versioning of CSP that many developers (hello, @devd!) have asked about in the past.

@mikewest

This comment has been minimized.

Copy link
Owner Author

@mikewest mikewest commented Jan 8, 2020

This can, however, get confusing

This is my main concern.

If we somehow found a satisfactory answer to this

I think I'd be most comfortable ignoring CSP if we had both Scripting-Policy and Whatever-Policy-Does-Confinement, as it's a real use case that developers find valuable, and I'd like to only throw away the old thing when the new things sufficiently suport the breadth of what how using the old thing.

I've done basically no work on the latter. Perhaps someone's interested in picking it up? @hillbrad might have some thoughts from FB's perspective, for example?

@devd

This comment has been minimized.

Copy link

@devd devd commented Jan 12, 2020

heh .. sorry to beat the same drum, but would it be easier to make a new header CSPN: where script-policy is a new directive. Applications could serve the CSPN header and be aware that it will intersect (and so test wisely) and serve the old CSP header for browsers that don't support CSPN/script-policy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.