Content Security Policy updates

Sid has updated the Content Security Policy spec to address some of the
issues discussed here. https://wiki.mozilla.org/Security/CSP/Spec

You can see the issues we've been tracking and the resolutions at the
Talk page: https://wiki.mozilla.org/Talk:Security/CSP/Spec

There are still a few open issues.
0
Daniel
7/23/2009 3:32:35 PM
mozilla.dev.security 649 articles. 0 followers. Post Follow

4 Replies
629 Views

Similar Articles

[PageSpeed] 12
Get it on Google Play
Get it on Apple App Store

Daniel Veditz wrote on 7/23/2009 10:32 AM: 
> Sid has updated the Content Security Policy spec to address some of the
> issues discussed here. https://wiki.mozilla.org/Security/CSP/Spec

Under "Policy Refinements with a Multiply-Specified Header" there is a misspelling of "X-Content-SecurityPolicy".

And that section conflicts with what is said earlier in the document, specifically:

"When multiple instances of the X-Content-SecurityPolicy HTTP header are present in an HTTP response, the intersection of the policies is enforced"

vs.

"If multiple X-Content-Security-Policy headers are present in the HTTP response, then the first one encountered is used and the rest are discarded."

and

"Only the first X-Content-Security-Policy Response header received by the user agent will be considered; any additional X-Content-Security-Policy HTTP Response headers in the same response will be ignored."



- Bil

0
Bil
7/23/2009 4:36:08 PM
On 7/23/09 9:36 AM, Bil Corry wrote:
> Under "Policy Refinements with a Multiply-Specified Header" there is a misspelling of "X-Content-SecurityPolicy".
Fixed.

> And that section conflicts with what is said earlier in the document, specifically:
> "When multiple instances of the X-Content-SecurityPolicy HTTP header are present in an HTTP response, the intersection of the policies is enforced"
> vs.
> "If multiple X-Content-Security-Policy headers are present in the HTTP response, then the first one encountered is used and the rest are discarded."
> and
> "Only the first X-Content-Security-Policy Response header received by the user agent will be considered; any additional X-Content-Security-Policy HTTP Response headers in the same response will be ignored."
Fixed.  Multiple header instances cause the policies to be intersected.
 This is more-or-less a replacement for meta tag support, which has been
dropped.

Thanks Bil!

-Sid
0
Sid
7/23/2009 4:41:48 PM
Sid Stamm wrote on 7/23/2009 11:41 AM: 
> On 7/23/09 9:36 AM, Bil Corry wrote:
>> And that section conflicts with what is said earlier in the document, specifically:
>> "When multiple instances of the X-Content-SecurityPolicy HTTP header are present in an HTTP response, the intersection of the policies is enforced"
>> vs.
>> "If multiple X-Content-Security-Policy headers are present in the HTTP response, then the first one encountered is used and the rest are discarded."
>> and
>> "Only the first X-Content-Security-Policy Response header received by the user agent will be considered; any additional X-Content-Security-Policy HTTP Response headers in the same response will be ignored."
> Fixed.  Multiple header instances cause the policies to be intersected.
>  This is more-or-less a replacement for meta tag support, which has been
> dropped.

There's still one sentence about it lingering under "Activation and Enforcement" that needs to be removed.

I think the section labeled "Policy Refinements with a Multiply-Specified Header" would be more clear if renamed to "Policy Intersection with Multiple Headers" or something similar.


- Bil


0
Bil
7/23/2009 6:25:31 PM
On 7/23/09 11:25 AM, Bil Corry wrote:
> Sid Stamm wrote on 7/23/2009 11:41 AM: 
>> On 7/23/09 9:36 AM, Bil Corry wrote:
>>> And that section conflicts with what is said earlier in the document, specifically:
>>> "When multiple instances of the X-Content-SecurityPolicy HTTP header are present in an HTTP response, the intersection of the policies is enforced"
>>> vs.
>>> "If multiple X-Content-Security-Policy headers are present in the HTTP response, then the first one encountered is used and the rest are discarded."
>>> and
>>> "Only the first X-Content-Security-Policy Response header received by the user agent will be considered; any additional X-Content-Security-Policy HTTP Response headers in the same response will be ignored."
>> Fixed.  Multiple header instances cause the policies to be intersected.
>>  This is more-or-less a replacement for meta tag support, which has been
>> dropped.
> There's still one sentence about it lingering under "Activation and Enforcement" that needs to be removed.
Thanks for catching this.  Fixed.

> I think the section labeled "Policy Refinements with a Multiply-Specified Header" would be more clear if renamed to "Policy Intersection with Multiple Headers" or something similar.
Good call.  Done.  It's difficult to capture "policy refinements when
the X-Content-Security-Policy header appears many times" into a small
section header.

-Sid
0
Sid
7/23/2009 6:30:11 PM
Reply:

Similar Artilces:

Why is it an error to have both X-Content-Security-Policy and X-Content-Security-Policy-Report-Only ?
https://wiki.mozilla.org/Security/CSP/Spec#Report-Only_mode If both a X-Content-Security-Policy-Report-Only header and a X-Content-Security-Policy header are present in the same response, a warning is posted to the user agent's error console and any policy specified in X-Content-Security-Policy-Report-Only is ignored. The policy specified in X-Content-Security-Policy headers is enforced. Why is this? This seems like an unnecessary burden which prevents groups from tightening their security policies over time. For example, here at Google, I'm interested in helping resol...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

Mixed Secure and Non Secured Content
I didn't get a feel for how safe SSL pages are that contain both secure and non secured content. If a page contains both is the secured content (say a form or password entry) safe? John John Pearce wrote: >I didn't get a feel for how safe SSL pages are that contain both secure >and non secured content. If a page contains both is the secured content >(say a form or password entry) safe? Depends on what's secure and what isn't. For example, if it's just graphics that are insecure, you're fine. It's the code itself (HTML plus possibly...

Content Security Policy feedback
Giorgio Maone mentioned CSP on the OWASP Intrinsic Security list[1] and I wanted to provide some feedback. (1) Something that appears to be missing from the spec is a way for the browser to advertise to the server that it will support Content Security Policy, possibly with the CSP version. By having the browser send an additional header, it allows the server to make decisions about the browser, such as limiting access to certain resources, denying access, redirecting to an alternate site that tries to mitigate using other techniques, etc. Without the browser advertising if it will...

Content Security module update
Hi Governance! We have done a bunch of work in dom to unify and reorganize our content sec= urity features into reasonable code locations. As a result, SRI and CORS h= ave moved over to /dom/security. I plan to update the Content Security mod= ule[0] to reflect this and these features' drivers, Fran=E7ois Marier and J= onas Sicking, will be joining the module as peers to help us maintain this = code. In addition, you probably also noticed that Safe Browsing (which is mostly = orthogonal to the rest of the DOM security features) will be moved out of t= he Content Security mod...

Secure connections: how secure are they?
*QUOTE* ......... both useful and malicious information can be transmitted via network connections. Standard solutions protect computers against threats present in standard network connections, but aren't able to counter threats present in secure connections. Verifying the contents of a secure connection is impossible by virtue of its secure nature, as demonstrated by the different types of protection listed above. As a result, malicious data within secure channels can cause a significant amount of damage, and sometimes more than if it were to be transmitted via a standard, non-s...

How secure is secure enough?
July 28, 2008 (Computerworld) This story originally appeared in Computerworld's print edition. If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?" It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&intsrc=hm_list -- "Never d...

How secure is AuthenticationTypes.Secure?
I understand that AuthenticationTypes.Secure requests secure authentication using Kerberos or NTLM (??). However, here is a scenario I am trying to understand. Let us say that I am having a regular ASP.NET site - with SSL certificates not installed on the web server. The login sends the request out to an AD server which also does not have certificates installed. However, I have set Secure flag to AuthenticationTypes.Secure. When the username and password data gets transmitted between the application and the LDAP server, how secure are the password and username info? In other words is this in...

form security against security
i have a form in my website which is to be filled by user and that form stores in database(sql server 2005). but someone told me that anyone can run script  in textboxes in that form and can damage database, so how to avoid such security lack.  it is common practice to use parameterized sql statements or stored procs to insure you are protected from sql injections attacks. if you concatenate user input directly into a sql statement, then you are at risk.Mike Banavige~~~~~~~~~~~~Need a site code sample in a different language? Try converting it with: http://converte...

Password secure...is it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: http://www.geocities.com/jansson_markus/ ********...

Security
This is a multi-part message in MIME format. --------------080100010401000103080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I'm a Mac user 10.4.8 of Thunderbird 1.5.0.7 & am wondering how "Enabling FIPS" will improve my security? I can't seem to find any explanation of FIPS under Thunderbird help. -- Have a good day R Schwager --------------080100010401000103080002 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Tr...

the no security updates policy is a problem
You can claim the each new major version is a security update for the previous, but that's not true. There will be changes in each release, these changes, though smaller than usual for major versions, will present obstacles (extension issues, regressions, unwelcome changes in functionality) to immediate upgrading. In the past, you could stick with a previous release for quite a while, until the obstacles were worked out, but now you will be forced to upgrade from a version that works well for you to one that for whatever reason, does not, or be immediately stuck with a vu...

Web resources about - Content Security Policy updates - mozilla.dev.security

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Security (finance) - Wikipedia, the free encyclopedia
equity securities, e.g., common stocks ; and, The company or other entity issuing the security is called the issuer . A country's regulatory ...

Firefox ban on SHA-1 certs causing some security issues, Mozilla warns
... users that its decision to reject SHA-1 certificates has caused an unfortunate side effect: some man-in-the-middle devices, such as security ...

Finding the right balance between business security and employee productivity
Don’t you wish you could give your users all the access they need, without worrying about them becoming frustrated with the increased security ...

Datalink Achieves Cisco Master Security Specialization in U.S.
Datalink Achieves Cisco Master Security Specialization in U.S. Business Wire (press release) EDEN PRAIRIE, Minn.(BUSINESS WIRE)Datalink (Nasdaq: ...

Security eureka moments in New York taxicabs
During a short business trip to New York City this week, it dawned on me that I’ve often gotten practical security lessons in New York taxicabs. ...

TSA frisks 10-year-old over juice box: How far should airport security go? (+video)
A father alarmed by a thorough TSA pat-down of his 10-year-old daughter posts a video that questions the effectiveness of airport security. ...

IRS, Treasury Department Pull Proposal Requiring Donors To Provide Social Security Numbers
IRS, Treasury Department Pull Proposal Requiring Donors To Provide Social Security Numbers

Resources last updated: 1/8/2016 6:27:25 AM