CSP Embedded Enforcement

[EthanHeilman]

Request for Mozilla Position on an Emerging Web Specification

• Specification Title: W3C Draft: Content Security Policy: Embedded Enforcement
• Specification or proposal URL: https://w3c.github.io/webappsec-cspee/

Other information

I would to add the CSP attribute to iframe according the Embedded Enforcement standard proposal. While Embedded Enforcement standard has been a draft for four years and hasn't made much progress, support for it has been added to several other browsers according to the MDN web docs.

In Mozilla's bugzilla there is an unassigned bug CSP: Implement Embedded Enforcement

I'd be willing to write a patch to add support for the embedded enforcement CSP iframe attribute to Gecko, however I want to understand if the Mozilla community would be willing accept this patch.

[dbaron]

I'd be particularly interested in opinions from @ckerschb and @martinthomson , but others are welcome to chime in as well.

[annevk]

As far as I know this specification is not in active development. It hasn't seen updates since October 2018 and I'm pretty sure Chrome does not support it either.

[mikewest]

Chrome shipped CSP:EE in 61 (~June 2017). But yes, the spec is rotting, and I'd very much appreciate working with y'all to improve it. (/cc @ArthurSonzogni)

[EthanHeilman]

@mikewest My goal here is to get this specific feature into firefox. I'm willing to write the code. This is because it is required for a project I'm working on to help secure keys in javascript. That being said, I'd be interested in working on the spec and helping improve it, but I'm not sure where to start.

@annevk I'm currently testing the CSP functionality in chrome and early tests indicate it does work as intended. For instance it fails if the allow-csp-from header is not set correctly. More in depth tests are still in the process of being performed which may reveal bugs.

[EthanHeilman]

Performed more detailed tests and I can confirm that this feature works as designed on chrome.

[annevk]

@mikewest @clelland what's the planned story for this vis-à-vis Document Policy? Should we have both long term? (It's somewhat clear how sandboxing fits in the world of Document Policy, but this is quite a bit different.)

[clelland]

AFAIK, the intention is to continue use this as the mechanism to require CSP on embedded documents, (although I could imagine it without the ability to set sandbox, as Document Policy is more suited to that, and there is precedent with <meta> to exclude sandbox)

Assuming that CSP continues to exist as a separate thing (and I'm certainly not suggesting that it wouldn't; CSP has a different scope than either Permissions or Document policy, and is widely deployed), this makes sense as the solution for composability.