CSP: child-src and frame-src deprecated

Question

1. In CSP v2 frame-src was deprecated. child-src is recommended to use instead.
2. In CSP v3 frame-src in undeprecated and child-src is deprecated.
3. Currently (sep 2017) Chrome:

The 'child-src' directive is deprecated and will be removed in M60, around August 2017. Please use the 'script-src' directive for Workers instead.

So what's correct collection of directives to work in modern (minus 2 versions) browsers? Looks like frame-src + script-src is enough? But what should be in script-src then?

PS: is it even legal to "undeprecate" stuff?

Answer 1

2018-12-20 update

child-src has in the meantime been un-deprecated… So now neither frame-src nor child-src are deprecated any longer. But the guidance from the original answer here still holds true:

So what's correct collection of directives to work in modern (minus 2 versions) browsers?

It seems like the answer to that depends on what exactly you want to specify a policy for.

1. If your needs are simple and so you don’t want to have different policies for iframe elements and scripts, then just use default-src to specify the same policy for both.
2. If your needs are more complicated and you want a policy for iframe elements that’s different than the policy for other resources, than use frame-src. Similarly, if you want a policy for scripts that’s different than the policy for other resources, then use script-src.
3. If you don’t want a policy for worker scripts different than the policy for other scripts, then you’re fine just providing a script-src policy, and can stop there.
4. If you do want a policy for worker scripts different than the policy for other scripts, then along with providing a script-src policy, provide a worker-src policy too. The worker-src one won’t effect browsers yet, but will future-proof things for when browsers do add support.

---

See https://github.com/w3c/webappsec-csp/issues/239#issuecomment-336135344 if you’re curious about the rationale for child-src being un-deprecated:

I was hoping other vendors would implement worker-src so we could drive down usage of child-src and remove it from the platform, but it doesn't look like that's happening quickly enough (removing Chrome's weird fallbacks would break a worker load on 0.006% of page views, which is not huge, but not nothing).

---

2017-09-04 answer

It’s even a bit more complicated than what’s described in the question, because the CSP3 spec also introduces the worker-src directive. But the spec gives the following guidance:

The child-src model has been substantially altered:

1. The frame-src directive, which was deprecated in CSP Level 2, has been undeprecated, but continues to defer to child-src if not present (which defers to default-src in turn).
2. A worker-src directive has been added, deferring to script-src if not present (which likewise defers to default-src in turn).
3. child-src is now deprecated.

That’s in https://w3c.github.io/webappsec-csp/, which is an editor’s draft but is what you should always consult for current spec requirements. Reason: You can’t trust https://www.w3.org/TR/CSP/ to be up to date (and in general you can’t trust anything under https://www.w3.org/TR to be up to date), and editor’s drafts are what browser implementors actually implement from (they don’t wait to implement until something’s published under https://www.w3.org/TR).

Anyway, the reason the child-src directive was deprecated is that its effect is specified as:

The child-src directive governs the creation of nested browsing contexts (e.g. <iframe> and <frame> navigations) and Worker execution contexts.

The problem with that in practice is: an iframe is very different than a worker script. So that’s why worker-src was added and why frame-src was un-deprecated (because you really do want a separate directive to specify policies for iframe elements), and why child-src was deprecated (because you really don’t want to apply one policy to both iframe elements and worker scripts).

So what's correct collection of directives to work in modern (minus 2 versions) browsers?

It seems like the answer to that depends on what exactly you want to specify a policy for.

1. If your needs are simple and so you don’t want to have different policies for iframe elements and scripts, then just use default-src to specify the same policy for both.
2. If your needs are more complicated and you want a policy for iframe elements that’s different than the policy for other resources, than use frame-src. Similarly, if you want a policy for scripts that’s different than the policy for other resources, then use script-src.
3. If you don’t want a policy for worker scripts different than the policy for other scripts, then you’re fine just providing a script-src policy, and can stop there.
4. If you do want a policy for worker scripts different than the policy for other scripts, then along with providing a script-src policy, provide a worker-src policy too. The worker-src one won’t effect browsers yet, but will future-proof things for when browsers do add support.

PS: is it even legal to "undeprecate" stuff?

Yes. Though I can’t remember ever seeing any other spec or working group do that, it was the right thing to do in this case—because the CSP spec authors and working group realized that child-src was a mistake, and frame-src was actually necessary and it was a mistake to deprecate it.

So they unwound those mistakes—and relatively quickly. And part of why it worked in this case is: frame-src wasn’t deprecated long enough for browsers to ever get around to dropping support for it, and also a lot of web developers never got around to using child-src to begin with.