search

w3c / webappsec-csp

WebAppSec Content Security Policy
https://w3c.github.io/webappsec-csp/
Other
210 stars 78 forks source link

CSP rules from an external URL? #453

Open yonixw opened 3 years ago

yonixw commented 3 years ago

Hi, Is there any plan to add a way to "import" or "load" CSP from an external URL? For instance, a header like: Content-Policy-Rules: https://../my/rules. The response of the URL could be as simple as containing the text lines of the headers that should apply.

I guess the use case is for big companies with many different stacks, hosting clouds and DevOps pipelines to have a centralized system that can monitor, enforce and react to any incident. Moving from "report only" to enforce could be moved from developer accountability to the security team (unless you some of DevOpSec).

But even for small teams, this can create opportunities for systems to automate and update policies automatically with the most simple integration (the system could support segmentation with different URLS (i.e. Content-Policy-Rules: https://../system/<segment>/rules)).

Security wise, since it is still all in response.headers[] space, I don't see why it will create a new vulnerability not yet known.

For transparency - I work in a company that would benefit from this feature. But from my small experience, it is a pain point when implementing CSP and surely can benefit all. Thank in advance, yoni

clelland commented 3 years ago

I think that Origin Policy is a similar-in-scope proposal to this; a single response header gives the information needed to locate the origin policy manifest, which can contain CSP directives which will apply across the site.

This doesn't allow for all of the flexibility of what you are proposing -- you can't have an origin policy which applies only to some URLs, AFAIK (although you can add additional directives with the usual CSP headers).

yonixw commented 3 years ago

Thanks, I will look into it. I saw some suggestion there to include cookies on the GET, combined with a cache mechanism can get to what I want.

I'm new here, does this mean that since there is an alternative, currently this issue is considered closed? or CSP is different entity and my suggestion still stands and may exist here in parallel to similar solutions (i.e the Origin Policy)?

antosart commented 3 years ago

What about setting the Content-Security-Policy header in some http reverse proxy? I guess most companies have one in their http stack anyway.

Loading CSP rules from an external URL would have a negative performance impact, since the browser would have to wait for the CSP response before processing any other request related to the page.

yonixw commented 3 years ago

What about setting the Content-Security-Policy header in some http reverse proxy? I guess most companies have one in their http stack anyway.

Loading CSP rules from an external URL would have a negative performance impact, since the browser would have to wait for the CSP response before processing any other request related to the page.

The Origin Policy mentioned by clelland also has the same problem, and they are solving that by using Cache headers (i.e. a Policy response can say it will be valid for X time and therefore won't be downloaded on every request)

And, yes, you are technically correct. A reverse-proxy can resolve the problem. But from my (small, still kind of mid-junior) experience, It will be an order of magnitude easier to just defer the CSP from the webserver and proxies section of the company to the security team. This is the main point of this suggestion.