Re: Wellknown suffix proposal: csp.txt
hiburn 8 <daniel@hiburn8.org> Fri, 22 May 2020 02:58 UTC
Return-Path: <daniel@hiburn8.org>
X-Original-To: wellknown-uri-review@ietfa.amsl.com
Delivered-To: wellknown-uri-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2596B3A0DFC for <wellknown-uri-review@ietfa.amsl.com>; Thu, 21 May 2020 19:58:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hiburn8-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YMApZlWW6-ib for <wellknown-uri-review@ietfa.amsl.com>; Thu, 21 May 2020 19:58:42 -0700 (PDT)
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4796D3A0DFB for <wellknown-uri-review@ietf.org>; Thu, 21 May 2020 19:58:42 -0700 (PDT)
Received: by mail-qk1-x72d.google.com with SMTP id f83so9377401qke.13 for <wellknown-uri-review@ietf.org>; Thu, 21 May 2020 19:58:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hiburn8-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=f9LVGo7VuaEF8uC/XRICDOauetjR2STFloSBEBbvyrQ=; b=YsiPk+4QmXG+D/PNHKIxhBsoccOaNmOaPtX9hxzeuDStENFlLPEEENw5kkHKPZXVKM jUORLTNb70BfB1oHtCPO83zVXAqB4+iUkLDtVxtjqdJnH+rw4sQYIl7UTttXCJH4Gn9R EelD2EGqs/lFmJFmXrA4k30OGDiLV/tFRk/S4HpGL0ONF2eVmW7+WTU5y/nYgJpwDscv egnCY5Re8ZRxeG1dDLn8s9QKfdZrqbW8W7ZQsV23gwYG8ZgO0rb1vgLEDf7dco1C5oXs Ala7wiWOhXnaJCbE1UoyBLJ3aXjR8K1whVLNIuEZM6jmA75ABCa67Hz+J57wRMJygXm9 2cHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=f9LVGo7VuaEF8uC/XRICDOauetjR2STFloSBEBbvyrQ=; b=PWSBEAtzipLUarOpXhkX+5xW1nCZQ7RpOLyhv3XY6tlRTEZQYEY3Kb32h3YZuoDYsr Bc5JX9RJthQ21oC6bRvEbAVCGuAnkPNjMxDsZl+fWDTrp3okzql+0lyMWG0AeuM3c/0W fKpRLt3J38KB9nKD4Kxto1vEGJ/wqElI/5cmIDzWDst+gzmgcq5SsDSlefnQ3y9ZVBdB C8t8VS5lQM0Vh7nM8p2914ToF4DgjLC/wlohemN+uaPU7ZwXE6IfG/8Pq9GDOz0G+LVZ 6s4WpS8hhbjsYqutbWzXO3en/Tjrt8AuOmO+NvEMkBKAlZUh2amHWhcPEquIOltSlJO3 TWoA==
X-Gm-Message-State: AOAM530pU+gJel5+c1xZ/JirkUIr+HWBB6/fRK5R0N6kyO6k0GuAO26F FR3Zo2JwWLwmJwDeJrRiZoqgsMlmQ58ez1IzTXccd+MuNXILMg==
X-Google-Smtp-Source: ABdhPJzEJLZzi6pgKybS1ovyWuubCVz5bAvMYTC+TIauVwCrmet5YQRtuNNVOJ/pEJhdGTwtlu0ISFEvia/f6njKSTQ=
X-Received: by 2002:a37:9d09:: with SMTP id g9mr13100957qke.154.1590116321202; Thu, 21 May 2020 19:58:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAGHJ3LnuX97y+_2at=hLc43HvZzw_LKJRnwADGZB1J4hTksEEA@mail.gmail.com> <92C71FFA-37E8-451B-838B-AB9387CCD23E@mnot.net>
In-Reply-To: <92C71FFA-37E8-451B-838B-AB9387CCD23E@mnot.net>
From: hiburn 8 <daniel@hiburn8.org>
Date: Fri, 22 May 2020 03:58:38 +0100
Message-ID: <CAGHJ3LnAWUE6S36kR_Z5L7Zq9YezuTYQriBmXOX9DNzVYbrwCQ@mail.gmail.com>
Subject: Re: Wellknown suffix proposal: csp.txt
To: Mark Nottingham <mnot@mnot.net>
Cc: wellknown-uri-review@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007a257605a633cec9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wellknown-uri-review/1QT-EEkxuNXdm4NuAbdGx5DNhkY>
X-BeenThere: wellknown-uri-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Well-Known URI review list <wellknown-uri-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wellknown-uri-review>, <mailto:wellknown-uri-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wellknown-uri-review/>
List-Post: <mailto:wellknown-uri-review@ietf.org>
List-Help: <mailto:wellknown-uri-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wellknown-uri-review>, <mailto:wellknown-uri-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2020 02:58:45 -0000
Hi Mark. Thanks for the quick reply. I did intend on creating an organisational page and registered csptxt.org in its place, leave it with me and i'll resubmit with a URI. Will that be acceptable? I could look into starting an RFC, but i have no experience with this. It has not yet been ran by the W3C WebAppSec Working Group (I am not actually a member). Do you suggest I register and seek a consensus? thanks again, On Fri, May 22, 2020 at 3:35 AM Mark Nottingham <mnot@mnot.net> wrote: > Hello, > > Thanks for the request. > > The specification needs to be referred to using a URL, not inline. > Generally, it's best to use an RFC or other publication by a standards > body, or an organisational page (so that it's more likely to be stable over > time). > > That said, is this being run through the W3C WebAppSec Working Group? If > not, we'd want to check with them before granting the registration; while > registering this with a more specific name (e.g., `hiburn8-csp.txt`) > wouldn't be a problem, consuming `csp.txt` without buy-in from them would > be problematic. > > Cheers, > > > > On 22 May 2020, at 12:25 pm, hiburn 8 <daniel@hiburn8.org> wrote: > > > > URI suffix: csp.txt > > > > Description: > > The csp.txt suffix should point to a plaintext file. This file describes > the required Content-Security-Policy > > (CSP) directives necessary for other origins to embed its content. > > This would be of use for site administrators to quickly allow content > from other origins, without > > being required to first determine the CSP attributes that permit access > to the content, > > while maintaining the most restrictive/secure policy. This would also > allow site owners to quickly resolve > > content issues; for example, when an allowed javascript file is modified > to require additional content from > > another domain which is not permitted by CSP. > > > > Specification: > > There is only one mandatory field for a csp.txt, > 'Content-Security-Policy'. > > The value of which is identical to the attributes of a > Content-Security-Policy (rfc7762) header. > > Example: > > > > ------------------This line is not included---------------------------- > > Content-Security-Policy: font-src example.com; connect-src example.com > > > > > > > > ------------------This line is not included---------------------------- > > > > > > > > > > Optionally, the 'Path' field indicates the coverage of the > 'Content-Security-Policy' field. > > It describes an absolute or relative path where the CSP attributes apply. > > This is useful if there are different content services on different > paths, which can then be added to a CSP > > selectively. Likewise, the 'Path' field can show the same information > for subdomains. An omitted 'Path' field > > is identical to 'Path: /' > > > > > > Example: > > > > ------------------This line is not included---------------------------- > > Path: /fonts > > Content-Security-Policy: font-src example.com; > > Path: /scripts > > Content-Security-Policy: script-src example.com; connect-src example.com > > Path: iframe.example.com > > Content-Security-Policy: frame-src example > > > > ------------------This line is not included---------------------------- > > > > > > > > Additional Info: The main purpose for proposing this suffix is to tackle > the management overhead of > > CSPs [Which is a pain in my ass], as well as make CSPs generally more > secure. > > > > - Daniel Reece @hbrn8 > > > > > > > > > > > > _______________________________________________ > > wellknown-uri-review mailing list > > wellknown-uri-review@ietf.org > > https://www.ietf.org/mailman/listinfo/wellknown-uri-review > > -- > Mark Nottingham https://www.mnot.net/ > >
- Re: Wellknown suffix proposal: csp.txt hiburn 8
- Re: Wellknown suffix proposal: csp.txt hiburn 8
- Re: Wellknown suffix proposal: csp.txt Mark Nottingham
- Re: Wellknown suffix proposal: csp.txt Mark Nottingham
- Wellknown suffix proposal: csp.txt hiburn 8