Why is it an error to have both X-Content-Security-Policy and X-Content-Security-Policy-Report-Only ?

https://wiki.mozilla.org/Security/CSP/Spec#Report-Only_mode

If both a X-Content-Security-Policy-Report-Only header and a
X-Content-Security-Policy header are present in the same response, a warning
is posted to the user agent's error console and any policy specified in
X-Content-Security-Policy-Report-Only is ignored. The policy specified in
X-Content-Security-Policy headers is enforced.


Why is this?  This seems like an unnecessary burden which prevents groups
from tightening their security policies over time.

For example, here at Google, I'm interested in helping resolve some of our
Mixed Content warnings, so I might run the following header on all Google
HTTPS sites:

  X-Content-Security-Policy-Report-Only: allow https://*:443; options
inline_script eval-script; report-uri /someUri

This will allow me to collect information on all the mixed-content
violations which may occur.

However, in the future, a different group may decide that they want to
enforce a tighter policy, and may add the header:

  X-Content-Security-Policy: [something else]

All of a sudden, two reasonable changes by two different people will result
in a user visible error, and will suppress my ability to collect information
about mixed-content errors.

To me, it seems valuable to support both X-Content-Security-Policy
and X-Content-Security-Policy-Report-Only, as it allows sites to test new
restrictions without disrupting their current restrictions.

-- Nick
0
Nick
3/12/2010 10:45:54 PM
mozilla.dev.security 649 articles. 0 followers. Post Follow

3 Replies
1440 Views

Similar Articles

[PageSpeed] 41
Get it on Google Play
Get it on Apple App Store

On 12/03/10 22:45, Nick Kralevich wrote:
> To me, it seems valuable to support both X-Content-Security-Policy
> and X-Content-Security-Policy-Report-Only, as it allows sites to test new
> restrictions without disrupting their current restrictions.

That's a very good point IMO.

Gerv
0
Gervase
3/15/2010 10:26:43 AM
On 03/15/2010 03:26 AM, Gervase Markham wrote:
> On 12/03/10 22:45, Nick Kralevich wrote:
>> To me, it seems valuable to support both X-Content-Security-Policy
>> and X-Content-Security-Policy-Report-Only, as it allows sites to test new
>> restrictions without disrupting their current restrictions.
> 
> That's a very good point IMO.
> 
> Gerv

I agree this is a good point and was discussing it today with a couple
of people.  Our thought was that CSP, in the presence of both headers,
could maintain two separate policies.  As we then do the various checks
we would refer to each policy in kind and take the appropriate action,
whether it's blocking some content in the case of the "real" policy, or
generating a violation report in the case of the report-only policy.

The root element in the violation reports (which is switching to JSON,
btw.  Bug 548193) could be different based on whether it was the real
policy or the report-only policy that was violated.

I'll be filing a bug shortly to track this change.  Does this address
your concerns, Nick?

-Brandon
0
Brandon
3/15/2010 8:23:51 PM
Sounds good to me.  Thnx!

-- Nick

On Mon, Mar 15, 2010 at 1:23 PM, Brandon Sterne <bsterne@mozilla.com> wrote:

> I'll be filing a bug shortly to track this change.  Does this address
> your concerns, Nick?
>
>
0
Nick
3/15/2010 8:26:23 PM
Reply:

Similar Artilces:

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

Content Security Policy updates
Sid has updated the Content Security Policy spec to address some of the issues discussed here. https://wiki.mozilla.org/Security/CSP/Spec You can see the issues we've been tracking and the resolutions at the Talk page: https://wiki.mozilla.org/Talk:Security/CSP/Spec There are still a few open issues. Daniel Veditz wrote on 7/23/2009 10:32 AM: > Sid has updated the Content Security Policy spec to address some of the > issues discussed here. https://wiki.mozilla.org/Security/CSP/Spec Under "Policy Refinements with a Multiply-Specified Header" there is a misspe...

Content Security Policy feedback
Giorgio Maone mentioned CSP on the OWASP Intrinsic Security list[1] and I wanted to provide some feedback. (1) Something that appears to be missing from the spec is a way for the browser to advertise to the server that it will support Content Security Policy, possibly with the CSP version. By having the browser send an additional header, it allows the server to make decisions about the browser, such as limiting access to certain resources, denying access, redirecting to an alternate site that tries to mitigate using other techniques, etc. Without the browser advertising if it will...

Mixed Secure and Non Secured Content
I didn't get a feel for how safe SSL pages are that contain both secure and non secured content. If a page contains both is the secured content (say a form or password entry) safe? John John Pearce wrote: >I didn't get a feel for how safe SSL pages are that contain both secure >and non secured content. If a page contains both is the secured content >(say a form or password entry) safe? Depends on what's secure and what isn't. For example, if it's just graphics that are insecure, you're fine. It's the code itself (HTML plus possibly...

Packet discarded during policy checking, src=x.x.x.x, dst=x.x.x.x
S2S setup, Master is BM 3.8sp2, Slave is Dlink DI-824UP. Everything is working, but this error appears on the Audit Log. What policy would it be referencing? Traffic is flowing both ways. John Games The policies are essentially the 3rd-party rules you have set up. Craig Johnson Novell Support Connection SysOp *** For a current patch list, tips, handy files and books on BorderManager, go to http://www.craigjconsulting.com *** ...

Content Security Policy for Gaia Apps
(CCing dev-security for added security input, but please reply to dev-gaia@lists.mozilla.org) As part of the Open Web App Security Model (https://wiki.mozilla.org/Apps/Security), a strict content security policy is proposed for Certified applications. It is expected that all Gaia apps will fall into the certified category, and as such I wanted to raise this requirement for discussion, as there are significant implications which have not really been explored as yet. Proposal ========================= The proposed requirement is that all certified apps have a strict CSP (de...

Content Security Policy questions / thoughts
I've read through the previous discussion at http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/d3147f8a4d6b792c# I'm a little bit confused about inline scripting. If I understand things correctly, the policy is designed to have some protection against inline scripts which currently are not implemented in the demonstrative "proof of concept" add-on that I'm playing with to test my site. I have some confusion though about how that is going to be implemented. The site I am developing uses very little JavaScript, only the forms use Jav...

Content Security Policy discussion (link)
Hi All, Some discussion about CSP has recently popped up on the mozilla wiki: https://wiki.mozilla.org/Talk:Security/CSP/Spec I'm posting the link here in case anyone interested hasn't seen it yet. Comments are welcomed (both here and there). Cheers, Sid Sid Stamm wrote on 6/26/2009 11:44 AM: > Some discussion about CSP has recently popped up on the mozilla wiki: > https://wiki.mozilla.org/Talk:Security/CSP/Spec > > I'm posting the link here in case anyone interested hasn't seen it yet. > Comments are welcomed (both here and there). It...

Content Security Policy for Gaia Apps
(CCing dev-security for added security input, but please reply to dev-gaia@lists.mozilla.org) As part of the Open Web App Security Model (https://wiki.mozilla.org/Apps/Security), a strict content security policy is proposed for Certified applications. It is expected that all Gaia apps will fall into the certified category, and as such I wanted to raise this requirement for discussion, as there are significant implications which have not really been explored as yet. Proposal ========================= The proposed requirement is that all certified apps have a strict CSP (de...

Comments on the Content Security Policy specification
First, let me state up front some assumptions I'm making: * Authors will rely on technologies that they perceive are solving their problems, * Authors will invariably make mistakes, primarily mistakes of omission, * The more complicated something is, the more mistakes people will make. I think CSP is orders of magnitude too complicated to be a successful security mechanism on the Web. I believe that if one were to take a typical Web developer, show him this: X-Content-Security-Policy: allow self; img-src *; object-src media1.com...

Content-Security-Policy & iframe src
SGksDQoNClNvcnJ5IGlmIHRoaXMgaXMgdGhlIHdyb25nIHBsYWNlIHRvIGFzaywgZmVlbCBmcmVl IHRvIHJlZGlyZWN0IG1lIHRvIGEgbW9yZSBhcHByb3ByaWF0ZSBsaXN0Lg0KDQpXZeKAmXJlIGFw cGx5aW5nIENvbnRlbnQtU2VjdXJpdHktUG9saWN5IHRvIG91ciBzaXRlIGFuZCBGaXJlZm94IGlz IGFwcGx5aW5nIHRoZSBDb250ZW50LVNlY3VyaXR5LVBvbGljeSBvZiB0aGUgcGFnZSB0byB0aGUg Y29udGVudHMgYW4gaWZyYW1lIGxvYWRlZCB3aXRoIHNyYyBhdHRyaWJ1dGUuDQoNCkkgc2VlIHRo YXQgdGhlIENTUDIgc3BlYyBpbmRpY2F0ZXMgdGhhdCBpZnJhbWUgc3JjZG9jIG11c3QgYmUgcHJv Y2Vzc2VkIHVzaW5nIHRoZSBkb2N1bWVudOKAmXMgQ1NQIGJ1dCBjb3VsZG7igJl0IGZpbmQgYW55 dGhpbmcgYWJvdXQgaWZyYW1lcyBsb2FkZWQgZnJvbSBleHRlcm5hbC...

Content Security Policies (CSP) on privileged apps
To test Firefox OS capabilities, I=92m writing a privileged app that can ha= ve access to various APIs on the device, but I got stuck in the development= .. I hope you can help me, I cannot find any useful documentation... I=92d like to have access to Google Maps APIs from my app, but this require= s a script to be loaded outside of app package ( Something like <script typ= e=3D"text/javascript" src=3D"http://maps.googleapis.com/maps/api/js?.....">= </script> ). Because of CSP restrictions in privileged apps, this works just with the si= mulator, but on ...

Web resources about - Why is it an error to have both X-Content-Security-Policy and X-Content-Security-Policy-Report-Only ? - mozilla.dev.security

Resources last updated: 1/17/2016 8:57:03 PM