RESOLVED LATER 103228
CSP 1.1: Teach ContentSecurityPolicy about policy sources. 
https://bugs.webkit.org/show_bug.cgi?id=103228
Summary CSP 1.1: Teach ContentSecurityPolicy about policy sources.
Mike West
Reported 2012-11-26 01:40:30 PST
We're accepting Content Security Policies via either an HTTP header or meta element, and there's discussion in the WG regarding the way we parse/handle the header's content. `report-uri`, for instance, might or might not be something we want to support in the meta element. Likewise, we almost certainly don't want to suport `reflected-xss` in the meta element. To support those sorts of distinction, we should teach the CSP object about the source of the policy. This is probably as simple as adding an enum. I'll take a look today.
Attachments
Patch (14.72 KB, patch)
2012-11-26 02:48 PST, Mike West 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mike West
Comment 1 2012-11-26 02:11:40 PST
Ugh. The actual change here is very straightforward, but things end up being piped through eighty-three levels of worker context shifts*, and back and forth between Chromium and WebKit. Not pretty. I'd also end up requiring a new `deprecatedSource` method to match `deprecatedType`. I don't really want to add an instantly deprecated method. :) I'm not sure the distinction is even relevant for workers (at least, the directives being discussed right now don't seem relevant). I'll throw up a patch that papers over the problem with a Worker source, just to get a conversation going. *this number might be slightly exaggerated.
Mike West
Comment 2 2012-11-26 02:48:17 PST
Created attachment 175951 [details] Patch
Mike West
Comment 3 2012-11-29 00:10:15 PST
Friendly ping. I'm hopeful that we can either avoid piping this through workers, or find a mechanism that lets us do it without tons of busywork. :)
Adam Barth
Comment 4 2012-11-29 15:32:23 PST
This seems too speculative at the moment. We don't know how this conversation is going to pan out in the working group. If we end up needing this flag, this isn't an unreasonably way to wire it in, but it's not clear to me whether we're going to need it.
Mike West
Comment 5 2012-11-30 12:18:59 PST
(In reply to comment #4) > This seems too speculative at the moment. We don't know how this conversation is going to pan out in the working group. If we end up needing this flag, this isn't an unreasonably way to wire it in, but it's not clear to me whether we're going to need it. If meta or html@policy or whatever remains in 1.1, we'll quite likely need something along these lines for 'reflected-xss' (assuming that remains in 1.1 as well). *shrug* I'll mark this LATER for the moment, and come back to it when it's more pressing.
Eric Seidel (no email)
Comment 6 2013-01-04 00:53:14 PST
Comment on attachment 175951 [details] Patch Cleared review? from attachment 175951 [details] so that this bug does not appear in http://webkit.org/pending-review. If you would like this patch reviewed, please attach it to a new bug (or re-open this bug before marking it for review again).
Note You need to log in before you can comment on or make changes to this bug.