Wellknown suffix proposal: csp.txt

hiburn 8 <daniel@hiburn8.org> Fri, 22 May 2020 02:25 UTC

Return-Path: <daniel@hiburn8.org>
X-Original-To: wellknown-uri-review@ietfa.amsl.com
Delivered-To: wellknown-uri-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 929DB3A0DCD for <wellknown-uri-review@ietfa.amsl.com>; Thu, 21 May 2020 19:25:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hiburn8-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c75sGNnAS96Z for <wellknown-uri-review@ietfa.amsl.com>; Thu, 21 May 2020 19:25:26 -0700 (PDT)
Received: from mail-qv1-xf44.google.com (mail-qv1-xf44.google.com [IPv6:2607:f8b0:4864:20::f44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E05043A0DCC for <wellknown-uri-review@ietf.org>; Thu, 21 May 2020 19:25:25 -0700 (PDT)
Received: by mail-qv1-xf44.google.com with SMTP id g20so4072299qvb.9 for <wellknown-uri-review@ietf.org>; Thu, 21 May 2020 19:25:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hiburn8-org.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=mVUlPxuhsfrS8eODhIrZqGZ3GPBjt4JZu/6AQL0ujbo=; b=U+eEF7Xm9MSXpWOd+IBw07y45AipVFz/+w1s0Q9KIFCD0RyKnhHwd+aMZeO21U234V P+PHv8vrW34ZD0oXTzxUprRbXF9fuNcOO55oF2eOHnSwIugXE6orTyBCLSvxTRsh8R8O j2R5apfXGp+w2Efe3AAh0hFvRL8MDfScEP3ev15F7eUHMy5yHUHsOgvk8o9ziS8Efarf kX23DGk9CO7BB86oZ4V/MqFsgIFfvT7dHhC4+UwiQ+zPMw6YHD0b7hpVder9fxFjCyRo 6qN8OBZBi6HPVd1U+5t+26PW06/xa5Cwz2IukDJRevx6VwmEbBrGckhZ9qc+gBcYbarH rDGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=mVUlPxuhsfrS8eODhIrZqGZ3GPBjt4JZu/6AQL0ujbo=; b=m9t3W2rM6NIx2cgo/0EyxQ+Pc1fRn1hwnIriRBlYgRE/h7l0sUt1hD6fY9mF4PATgV /Zx5RNA096xBHkeu0Duwt1cfh2a11VEEqN3KfaIbc+8jZHuC3NJ6wMoa6DdQnkcuzF+1 JlJTTX6hvTPcHcMoEyIuO4DtF0wAMkouKC7lTIiaPcyLCRDVcDSZ2dl+drC8PTfPxbFM Vahrjz7qqcX0+/z3Fk8HPpRWDtTzlDyQfJFxZEDRQfEJu76FVjU29fxIhqg1QKT6Z8gI uTMh2uGoRDa1d7qJqBf7QPym4j0KTFdNIkwVimtcbO81UhkBP3FO0hddw31PA2RxR6af gO3A==
X-Gm-Message-State: AOAM533ZtYOucJrgY8vb9G+svG3MNJJ+zEvAqwQMZir/HjjDBBkGEd9W Bp9sVZemFoNY6l1yOT2AL3fXs20Hg0IOyPw6vB7h44J426nfgQ==
X-Google-Smtp-Source: ABdhPJwePLMscGOrwUg32sbMxS3tcv2oKt4tB+6r65J+oGqfC9xQ4EJ2q08jRIDqDFgbuais2zU9rUdKY8ZLY486Fw4=
X-Received: by 2002:a0c:ec08:: with SMTP id y8mr1558355qvo.7.1590114324493; Thu, 21 May 2020 19:25:24 -0700 (PDT)
MIME-Version: 1.0
From: hiburn 8 <daniel@hiburn8.org>
Date: Fri, 22 May 2020 03:25:22 +0100
Message-ID: <CAGHJ3LnuX97y+_2at=hLc43HvZzw_LKJRnwADGZB1J4hTksEEA@mail.gmail.com>
Subject: Wellknown suffix proposal: csp.txt
To: wellknown-uri-review@ietf.org
Content-Type: multipart/alternative; boundary="00000000000076cc5405a6335743"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wellknown-uri-review/V3_BXnHF8WO-kxLjjz6YEQI1WO4>
X-BeenThere: wellknown-uri-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Well-Known URI review list <wellknown-uri-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wellknown-uri-review>, <mailto:wellknown-uri-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wellknown-uri-review/>
List-Post: <mailto:wellknown-uri-review@ietf.org>
List-Help: <mailto:wellknown-uri-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wellknown-uri-review>, <mailto:wellknown-uri-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2020 02:28:46 -0000

URI suffix:  csp.txt


Description:

The csp.txt suffix should point to a plaintext file. This file
describes the required Content-Security-Policy

(CSP) directives necessary for other origins to embed its content.

This would be of use for site administrators to quickly allow content
from other origins, without

being required to first determine the CSP attributes that permit
access to the content,

while maintaining the most restrictive/secure policy. This would also
allow site owners to quickly resolve

content issues; for example, when an allowed javascript file is
modified to require additional content from

another domain which is not permitted by CSP.


Specification:

There is only one mandatory field for a csp.txt, 'Content-Security-Policy'.

The value of which is identical to the attributes of a
Content-Security-Policy (rfc7762) header.

Example:

------------------This line is not included----------------------------

Content-Security-Policy: font-src example.com; connect-src example.com




------------------This line is not included----------------------------


Optionally, the 'Path' field indicates the coverage of the
'Content-Security-Policy' field.

It describes an absolute or relative path where the CSP attributes apply.

This is useful if there are different content services on different
paths, which can then be added to a CSP

selectively. Likewise, the 'Path' field can show the same information
for subdomains. An omitted 'Path' field

is identical to 'Path: /'


Example:

------------------This line is not included----------------------------

Path: /fonts

Content-Security-Policy: font-src example.com;

Path: /scripts

Content-Security-Policy: script-src example.com; connect-src example.com

Path: iframe.example.com

Content-Security-Policy: frame-src example


------------------This line is not included----------------------------

Additional Info: The main purpose for proposing this suffix is to tackle
the management overhead of

CSPs [Which is a pain in my ass], as well as make CSPs generally more secure.


- Daniel Reece @hbrn8