[websec] Last Call for Comments at W3C: Content Security Policy 1.0
"Hill, Brad" <bhill@paypal-inc.com> Tue, 10 July 2012 16:27 UTC
Return-Path: <bhill@paypal-inc.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1577F11E80ED for <websec@ietfa.amsl.com>; Tue, 10 Jul 2012 09:27:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.117
X-Spam-Level:
X-Spam-Status: No, score=-9.117 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iuiNEK3SnoVr for <websec@ietfa.amsl.com>; Tue, 10 Jul 2012 09:27:30 -0700 (PDT)
Received: from den-mipot-001.corp.ebay.com (den-mipot-001.corp.ebay.com [216.113.175.152]) by ietfa.amsl.com (Postfix) with ESMTP id E4A5511E809A for <websec@ietf.org>; Tue, 10 Jul 2012 09:27:29 -0700 (PDT)
DomainKey-Signature: s=ppinc; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To: Subject:Thread-Topic:Thread-Index:Date:Message-ID: Accept-Language:Content-Language:X-MS-Has-Attach: X-MS-TNEF-Correlator:x-originating-ip:x-ems-proccessed: x-ems-stamp:Content-Type:MIME-Version; b=f4VfnlJ3JqBno8SgieHRi1PwgNXXFbjnEaoWQ9/mZw25StKJ0xVIDt9r 4AvLhwyUK28jnOEzaI70EYFlbb8SOeZt7WVtll3o0QFdKQ8QVLLXE1JN9 RoZLuLCo2Oz0bOQ;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=bhill@paypal-inc.com; q=dns/txt; s=ppinc; t=1341937678; x=1373473678; h=from:to:subject:date:message-id:mime-version; bh=W3zTeIW13bjzqrIQpq3TIgIPCB0H+W4WR3n46KDc1uc=; b=Ji/MR4sd/KOB8hQacSsFAYioxRXpULqlovACnHXTG18aTpdq+r0VBYZC w5ariSaIZg2p9q+QTHFRraBqAMFP6HDwsjShTxcRDCrvkyqHBx2yeN1rK xYqjXQTge4+EkbM;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.77,560,1336374000"; d="scan'208,217";a="8581691"
Received: from den-exmht-003.corp.ebay.com ([10.241.17.150]) by den-mipot-001.corp.ebay.com with ESMTP/TLS/AES128-SHA; 10 Jul 2012 09:27:55 -0700
Received: from DEN-EXDDA-S12.corp.ebay.com ([fe80::40c1:9cf7:d21e:46c]) by DEN-EXMHT-003.corp.ebay.com ([fe80::55d3:9d86:3fc8:dbf4%14]) with mapi id 14.02.0298.004; Tue, 10 Jul 2012 10:27:52 -0600
From: "Hill, Brad" <bhill@paypal-inc.com>
To: "websec@ietf.org" <websec@ietf.org>
Thread-Topic: Last Call for Comments at W3C: Content Security Policy 1.0
Thread-Index: Ac1euPO6C1e+RV+MS1qj1TTjn6HNoQ==
Date: Tue, 10 Jul 2012 16:27:52 +0000
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E17C46D@DEN-EXDDA-S12.corp.ebay.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.241.19.242]
x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A==
x-ems-stamp: IH9pw5DUDgq4uegweV3dZw==
Content-Type: multipart/alternative; boundary="_000_370C9BEB4DD6154FA963E2F79ADC6F2E17C46DDENEXDDAS12corpeb_"
MIME-Version: 1.0
Subject: [websec] Last Call for Comments at W3C: Content Security Policy 1.0
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 16:27:31 -0000
The WebAppSec WG at the W3C would like to inform WebSec that Content Security Policy (CSP) 1.0 has been published as a Last Call Working Draft, and the WG welcomes review, feedback and comments to public-webappsec@w3.org<mailto:public-webappsec@w3.org> CSP is a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application restrict from where the application can load resources. To mitigate XSS, for example, a web application can restrict itself to loading scripts only from known, trusted URIs, making it difficult for an attacker who can inject content into the web application to inject malicious script. Content Security Policy (CSP) is not intended as a first line of defense against content injection vulnerabilities. Instead, CSP is best used as defense-in-depth, to reduce the harm caused by content injection attacks. http://www.w3.org/TR/CSP/ Thank you, Brad Hill Co-chair, W3C WebAppSec WG