Open mikewest opened 4 years ago
I wonder if it would make sense to only ignore certain directives in the CSP (e.g. script-src
) if a scripting policy is enabled. This can, however, get confusing: do we only ignore them if there's an enforcing Scripting-Policy
but not a report-only one, etc?
If we somehow found a satisfactory answer to this, I think it could be nice; that's because it would implicitly work like the versioning of CSP that many developers (hello, @devd!) have asked about in the past.
This can, however, get confusing
This is my main concern.
If we somehow found a satisfactory answer to this
I think I'd be most comfortable ignoring CSP if we had both Scripting-Policy
and Whatever-Policy-Does-Confinement
, as it's a real use case that developers find valuable, and I'd like to only throw away the old thing when the new things sufficiently suport the breadth of what how using the old thing.
I've done basically no work on the latter. Perhaps someone's interested in picking it up? @hillbrad might have some thoughts from FB's perspective, for example?
heh .. sorry to beat the same drum, but would it be easier to make a new header CSPN: where script-policy is a new directive. Applications could serve the CSPN header and be aware that it will intersect (and so test wisely) and serve the old CSP header for browsers that don't support CSPN/script-policy.
@arturjanc reasonably asks what the plan is when both a
Scripting-Policy
and CSP are present on the same page. Do we enforce both? So we ignore the CSP?I think the right answer for the short term is to enforce both, assuming that the enforcement strategy and behavior for both is compatible. I think that should be the goal.
Ignoring the
Content-Security-Policy
seems like the wrong thing to do in the absence of something like the confinement bits of the explainer, but maybe it's a simpler story for developers?