W3C home > Mailing lists > Public > public-web-security@w3.org > December 2011

Re: Request for Change to CSP Specification

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Fri, 9 Dec 2011 09:24:18 -0800
Message-ID: <CACSvzRxNGX8B6+FUBcgZeFeqz-5HGZs3H_VypvevFLWAqUuUeg@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Jason Franklin <jfrankli@cs.cmu.edu>, public-web-security@w3.org
Hi!

We added CSP to Google+ to detect instances of Mixed Content, and with the
current report data its just marginally useful.

I agree with Jason.

Greetngs!
On Dec 8, 2011 12:29 PM, "Devdatta Akhawe" <dev.akhawe@gmail.com> wrote:

> I think it is better to wait for the first revision to go live on
> browsers and gather feedback from web applications that adopt CSP.  It
> might just turn out that needing some INSERT_SOME_IMPORTANT_SECRET
> info in the report is important but could be bad to send cross-origin.
> There is hardly any data/feedback right now from CSP adopters. The
> next revision can add the cross-origin report capability; while other
> way around might be more painful.
>
> --devdatta
>
> On 7 December 2011 17:41, Jason Franklin <jfrankli@cs.cmu.edu> wrote:
> > restriction on report-uri in the CSP Specification.  First, I don't
> > see how the restriction defends against any reasonable adversary model
> > (as Adam Barth also noted in his bugzilla post on 2011-07-18) and
> > secondly, it makes it more difficult for a company to provide a
> > reporting collection and analysis service. Ideally browsers could be
> > instructed to send alerts back to a third-party.  I would like to
> > submit a request for this restriction to be removed.
> >
> > - Jason Franklin
> > Research Associate
> > Stanford University
> >
> >
> >
> >
>
>
Received on Friday, 9 December 2011 17:24:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 9 December 2011 17:24:55 GMT