Re: CSP required reporting a bad precedent?

Thanks for bringing this to the list Fred.

We could put this on the agenda for the PING call on Thursday (18 October). Would you be available to introduce the specification and the issues you have identified?

BTW. Would you also send a pointer to the specification.

Best regards,
Christine and Tara

On Oct 14, 2012, at 1:57 PM, Fred Andrews wrote:

> The CSP spec. is nearing recommendation and I have been trying to make a case for reporting to be optional which would allow the UA to choose to make reporting opt-in or to report to the user if desired.  My suggestions to the WG have been met with ridicule and with claims that the reporting does not reveal any information not already known to the content author.
> 
> The mandated reporting of security violations detected by the UA back to the server appears to be unprecedented.  Could I ask if anyone is aware of any other w3c standards that require the UA to report security violations to the server?
> 
> Does anyone else share my concern that allowing w3c standards to require the reporting of security violations is a bad precedent?
> 
> While a UA could still decide not to report a violation, if the standard requires this then server software could be written to depend on it and a UA not reporting could be discriminated against.
> 
> I am also concerned that the reporting could be used to report on user customization of the CSP policy.  For example if a user decides a particular third party is not trustworthy and adjusts the CSP policy to block the third party then when an attempt is made to load the blocked third party resource the UA would be required to report the violation to the first party.   This is turn could be used to discriminate against the user.
> 
> I am preparing a final response to the WG regarding CSP on the issue of the required reporting and would welcome any input.
> 
> cheers
> Fred
>

Received on Sunday, 14 October 2012 17:27:34 UTC