[websec] Call for review of Content Security Policy 1.0

"Hill, Brad" <bhill@paypal-inc.com> Tue, 04 September 2012 23:00 UTC

Return-Path: <bhill@paypal-inc.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id CA42421E8082 for <websec@ietfa.amsl.com>; Tue, 4 Sep 2012 16:00:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.117
X-Spam-Status: No, score=-9.117 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id mgmhOFh8R4xo for <websec@ietfa.amsl.com>; Tue, 4 Sep 2012 16:00:29 -0700 (PDT)
Received: from den-mipot-001.corp.ebay.com (den-mipot-001.corp.ebay.com []) by ietfa.amsl.com (Postfix) with ESMTP id 1FDD121E805A for <websec@ietf.org>; Tue, 4 Sep 2012 16:00:29 -0700 (PDT)
DomainKey-Signature: s=ppinc; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To: Subject:Thread-Topic:Thread-Index:Date:Message-ID: Accept-Language:Content-Language:X-MS-Has-Attach: X-MS-TNEF-Correlator:x-originating-ip:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=qlHrSVJ/4LPqaVlDjqNgLnU6D+OoeKTIBcdhS1rizOhEeEKIED/hI3sb uvUljgfdcMToKqrRiLQ2Ti0YY82/cW1Fyj7zwlvwhiLrS9COSujXgWzv6 dgJiOyHCgzMke/z;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=bhill@paypal-inc.com; q=dns/txt; s=ppinc; t=1346799629; x=1378335629; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=6BjUzvE4yozwtlKIxzeeUlyagZ9YjXCWAa+F530jYR4=; b=DfYUsk+eqHumcEm1l/2SbMgno73h7jOWSqZcWWBR/LGSkcBMZrUnjUcP PS5sLsBuOQcheDvw/DI9aP0tosXPA2CqqRBHXRVEJwtCIFXM4uGXSj50T jwjsHSxGAnbs6QT;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.80,369,1344236400"; d="scan'208";a="9520817"
Received: from den-vtenf-001.corp.ebay.com (HELO DEN-EXMHT-003.corp.ebay.com) ([]) by den-mipot-001.corp.ebay.com with ESMTP; 04 Sep 2012 16:00:28 -0700
Received: from DEN-EXDDA-S12.corp.ebay.com ([fe80::40c1:9cf7:d21e:46c]) by DEN-EXMHT-003.corp.ebay.com ([fe80::55d3:9d86:3fc8:dbf4%14]) with mapi id 14.02.0298.004; Tue, 4 Sep 2012 17:00:22 -0600
From: "Hill, Brad" <bhill@paypal-inc.com>
To: "websec@ietf.org" <websec@ietf.org>
Thread-Topic: Call for review of Content Security Policy 1.0
Thread-Index: Ac2K8Q+9qgls1oZjSieX7Gz7Krupmg==
Date: Tue, 04 Sep 2012 23:00:21 +0000
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E23634D@DEN-EXDDA-S12.corp.ebay.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned
Subject: [websec] Call for review of Content Security Policy 1.0
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Sep 2012 23:00:29 -0000

The Web Application Security Working Group at the W3C is planning to advance Content Security Policy 1.0 to Candidate Recommendation - a final set of features and syntax - and is seeking wide review of the document at this time.  We would especially value the input of members of the IETF WebSec list.


Content Security Policy is a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application restrict from where the application can load resources.

To mitigate XSS, for example, a web application can restrict itself to loading scripts only from known, trusted URIs, making it difficult for an attacker who can inject content into the web application to inject malicious script.

Content Security Policy (CSP) is not intended as a first line of defense against content injection vulnerabilities. Instead, CSP is best used as defense-in-depth, to reduce the harm caused by content injection attacks.

There is often a non-trivial amount of work required to apply CSP to an existing web application. To reap the greatest benefit, authors will need to move all inline script and style out-of-line, for example into external scripts, because the user agent cannot determine whether an inline script was injected by an attacker.

To take advantage of CSP, a web application opts into using CSP by supplying a Content-Security-Policy HTTP header Such policies apply the current resource representation only. To supply a policy for an entire site, the server needs to supply a policy with each resource representation.

Please submit comments to public-webappsec@w3.org

Thank you,
Brad Hill
W3C Web Application Security WG