🛤 Web Content Security Policy

Open binji opened this issue 7 years ago • 0 comments

This is a tracking issue for a post-MVP feature It will be updated as the issue progresses.

Topic Content Security Policy Champion none Status in progress Phase Feature proposal Linked issues https://github.com/WebAssembly/design/issues/1092 https://github.com/WebAssembly/design/issues/205 https://github.com/WebAssembly/design/issues/972 Linked repositories github.com/WebAssembly/content-security-policy

Details

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.

In the context of WebAssembly, CSP can:

Forbid usage of WebAssembly for developers who opted in to CSP before WebAssembly existed.
Allow finer-grained control of JavaScript restrictions (including unsafe-eval) versus WebAssembly using new CSP mechanisms.

References:

MDN description of CSP
@jfbastien has a first proposal covering CSP as implemented in WebKit.
This was discussed in the 08-08 video call. A poll encouraged @flagxor to work on this.
Some folks mentioned Sub-Resource Integrity along with CSP.

Oct 16 '18 22:10 binji