W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

RE: New proposed charter and chairs for WebAppSec WG

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 6 Jun 2011 23:01:32 -0600
To: Brandon Sterne <bsterne@mozilla.com>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <213E0EC97FE58F469BB618245B3118BB54F67EF087@DEN-MEXMS-001.corp.ebay.com>
I did not intend to foreclose on, for example, headers as an acceptable means of policy conveyance.  I only feel strongly that usability/manageability by resource owners must be a first-order part of the WG's scope.    

-Brad

-----Original Message-----
From: Brandon Sterne [mailto:bsterne@mozilla.com] 
Sent: Monday, June 06, 2011 5:06 PM
To: Hill, Brad
Cc: public-web-security@w3.org
Subject: Re: New proposed charter and chairs for WebAppSec WG

On 06/06/2011 03:41 PM, Hill, Brad wrote:
> Yes, the unofficial CSP draft (https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html) is a major deliverable which this group would continue to advance along Recommendations Track - I didn't mean to imply otherwise and have zero desire to start over with the excellent work you've done there in both specification and implementation.

Okay, that is a relief :-)

> Re: manageability.  The philosophy of the CSP is exactly the sort of thing I'm driving at with manageability as a top-level concern, as a positive example vs. e.g., having to manage the attributes of every tag in every resource on a domain.  The value judgment is that security policy  must be available at the same scope as the security guarantees which depend on it.  So, if a single XSS can compromise the security of an entire origin's applications, it should be possible to specify and apply anti-XSS policies at the level of the entire origin.  There's a huge history of vulnerabilities to show why this is important.  

I can't argue with the assertion that a single XSS tends to compromise the security of an entire origin, but I'm not sure that it a requirement for global policy mechanism follows from that assertion.

> I'm aware of the discussion here, as far as headers vs/and/or in addition to, a well-known policy location, controversy about adding extra requests, and appreciate the conservative instinct there in creating a first implementation.  I included it in the charter proposal because I feel that policy scope, advertisement and deployment mechanisms are still relevant and live topics for advancement and discussion in the WG from a variety of perspectives.
> 
> Is your opinion otherwise, that this is a settled issue and should be out of scope?
>
> -Brad

No, my personal preference is to leave out a global policy mechanism for the sake of keeping CSP simpler, but I definitely wouldn't and couldn't declare the issue settled or out of scope.  If people feel strongly that such a mechanism should be added to CSP then I would suggest they make the case on the list.  Adding it to the charter as you have it does, though, seem to remove some opportunity for the counter position to be taken.

Thanks,
Brandon
Received on Tuesday, 7 June 2011 05:02:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC