Re: Wellknown suffix proposal: csp.txt

Mark Nottingham <> Fri, 22 May 2020 02:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 031673A0DD8 for <>; Thu, 21 May 2020 19:35:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=NGnlBYh7; dkim=pass (2048-bit key) header.b=cJvcbDXc
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vMnya9KK-S8a for <>; Thu, 21 May 2020 19:35:19 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A0E8D3A0DDB for <>; Thu, 21 May 2020 19:35:19 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal []) by mailout.west.internal (Postfix) with ESMTP id B5A10AAC; Thu, 21 May 2020 22:35:18 -0400 (EDT)
Received: from mailfrontend2 ([]) by compute4.internal (MEProxy); Thu, 21 May 2020 22:35:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm2; bh=W 55wZRaWHpMnqs8+oU1deeKULDNfGT0U83x6jUGetOk=; b=NGnlBYh7dEJ86P4iU FeiJFeuf0pR/Al7Lru1RuFrCv8vHuNMkV5QSTORt7dLvU7cSZFuS+LhXVc1KMpH0 Tws8CcDWJl39ROzS79yD/6WHX6iHU0fDQ6ZvSPkubzemUsBYfi8SjGW7CUBKdaYU PycyUuKj1LHp6o3cxUUTyTlBLhkSE3+J2A+D/YL5H99xzGhCkkfr69OZHca0Trbx UcrGUVHvlOvYjftywx+HU6SYhBfnmNHJHpul0pWmElzPZQ79I2vtQ3Bso5ahzViZ LL7w1rJhopypAeHkrL2nVFUtuUtBjGyg7TmwuDqyP1Tgtx7w9LJXjuxRu7JIppBt hyJiw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=W55wZRaWHpMnqs8+oU1deeKULDNfGT0U83x6jUGet Ok=; b=cJvcbDXcECHnxcpckMvuEm6lhjGg/q7nrgm0RFasMK58+5hvwhcsKkD1z 2FBRT9Ta1t9mrp8v6Q+j+B6r2rHRIHUG9IwGlzFxLOyk5dIRWcAU5tze9KM0yx5t kIrZhlI+WDfn1J94ZCEFMlZ2WXuYz5ZwmsvKpq23bAxuj8rb6Eu/5OypMsfPL+h1 CkRDj/XsgcTRMt9QEqWhP1iejA+FNn2E3MgxyAz8QXCUeRDHzFByjslmmcxTM+46 moMUOkBaaZkHFFWdEatRHt1v14OA8I93+R49cW4/z3V7NZgA40ae1uRvi/A9qlnR nAvEavKCqPqZRrG0RrpXM6EUbQlWw==
X-ME-Sender: <xms:ZTrHXuZsxDpSJpY70pMsBaJqIm43ljYtuM6BnAU4BFna62fkoUDPmg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudduvddgheelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpegtggfuhfgjfffgkfhfvffosehtqh hmtdhhtddvnecuhfhrohhmpeforghrkhcupfhothhtihhnghhhrghmuceomhhnohhtsehm nhhothdrnhgvtheqnecuggftrfgrthhtvghrnhephfdvieetieetvdelvdegfeehgfeihf ettdfgkefhueejheffgeffffejgfelhfeinecuffhomhgrihhnpegvgigrmhhplhgvrdgt ohhmpdhivghtfhdrohhrghdpmhhnohhtrdhnvghtnecukfhppeduudelrddujedrudehke drvdehudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm pehmnhhothesmhhnohhtrdhnvght
X-ME-Proxy: <xmx:ZTrHXhYed5_eS1vO2z7oWswENTzd1hBwRFgHuTHfPH-dFMa_Rz0cDg> <xmx:ZTrHXo_rZ7IK91c5eB6Oj8l9OUkBfOpoMwwRuyrOYBcBYjEY2vznjA> <xmx:ZTrHXgoymcJzikB1_unzejszXW9gogAXYtAs2GAZMObYfhyHaBxprg> <xmx:ZjrHXqC0nMj6kuSk32DBHWyVQC8URkgYftzgzUTKd5DeAnwLWDRrvQ>
Received: from ( []) by (Postfix) with ESMTPA id DDC5530664A6; Thu, 21 May 2020 22:35:16 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Subject: Re: Wellknown suffix proposal: csp.txt
From: Mark Nottingham <>
In-Reply-To: <>
Date: Fri, 22 May 2020 12:35:14 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: hiburn 8 <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Well-Known URI review list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 May 2020 02:35:22 -0000


Thanks for the request.

The specification needs to be referred to using a URL, not inline. Generally, it's best to use an RFC or other publication by a standards body, or an organisational page (so that it's more likely to be stable over time).

That said, is this being run through the W3C WebAppSec Working Group? If not, we'd want to check with them before granting the registration; while registering this with a more specific name (e.g., `hiburn8-csp.txt`) wouldn't be a problem, consuming `csp.txt` without buy-in from them would be problematic.


> On 22 May 2020, at 12:25 pm, hiburn 8 <> wrote:
> URI suffix:  csp.txt
> Description: 
> The csp.txt suffix should point to a plaintext file. This file describes the required Content-Security-Policy 
> (CSP) directives necessary for other origins to embed its content.
> This would be of use for site administrators to quickly allow content from other origins, without
> being required to first determine the CSP attributes that permit access to the content,
> while maintaining the most restrictive/secure policy. This would also allow site owners to quickly resolve 
> content issues; for example, when an allowed javascript file is modified to require additional content from 
> another domain which is not permitted by CSP.
> Specification:
> There is only one mandatory field for a csp.txt, 'Content-Security-Policy'.
> The value of which is identical to the attributes of a Content-Security-Policy (rfc7762) header.
> Example:
> ------------------This line is not included----------------------------
> Content-Security-Policy: font-src; connect-src
> ------------------This line is not included----------------------------
> Optionally, the 'Path' field indicates the coverage of the 'Content-Security-Policy' field.
> It describes an absolute or relative path where the CSP attributes apply.
> This is useful if there are different content services on different paths, which can then be added to a CSP
> selectively. Likewise, the 'Path' field can show the same information for subdomains. An omitted 'Path' field 
> is identical to 'Path: /'
> Example:
> ------------------This line is not included----------------------------
> Path: /fonts
> Content-Security-Policy: font-src;
> Path: /scripts
> Content-Security-Policy: script-src; connect-src
> Path:
> Content-Security-Policy: frame-src example
> ------------------This line is not included----------------------------
> Additional Info: The main purpose for proposing this suffix is to tackle the management overhead of 
> CSPs [Which is a pain in my ass], as well as make CSPs generally more secure.
> - Daniel Reece @hbrn8
> _______________________________________________
> wellknown-uri-review mailing list

Mark Nottingham