W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP and web analytics

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 8 Jun 2011 10:25:13 -0700
Message-ID: <BANLkTindmmkc7f67txaUFXvf_wHatiFq1g@mail.gmail.com>
To: John Wilander <john.wilander@owasp.org>
Cc: public-web-security@w3.org
Yeah, one of the challenges for CSP is that it imposes constraints on
how you integrate with third-parties.  Web analytics is probably one
of the easier examples of this issue.  Advertising is probably more
challenging.  My sense is that CSP succeeding on this dimension is
going to take a while.  Enough developers need to be interested in
using the feature that providers of these third-party services have an
incentive to play nicely with CSP.


On Wed, Jun 8, 2011 at 4:19 AM, John Wilander <john.wilander@owasp.org> wrote:
> Hi PubWebSec!
> To get ready for Content Security Policy in production organizations have to
> get JavaScript guidelines in place stating no inline JavaScript, only
> JavaScript in files. That's fine for in-house developers but I'm starting to
> get worried about web analytics tools such as Omniture SiteCatalyst and
> Google Analytics. These are very popular out there and the decision to use
> them are typically made by managers closer to money than the security
> department typically is.
> I've been using both SiteCatalyst and Analytics before, both using inline
> JavaScript. Looking at their online documentation and tutorials I only see
> inline solutions.
> Example from SiteCatalyst tutorial
> (https://developer.omniture.com/en_US/get-started/sitecatalyst-tagging):
> [bla, bla] return to the Page Code tab and copy all of the code in the tab.
> In the HTML files, locate the comment that says Begin Paste the SiteCatalyst
> JavaScript Page code here and then paste the Page Code below the comment.
> Example from Analytics tutorial
> (http://www.google.com/support/googleanalytics/bin/answer.py?answer=174090):
> In the Profile Settings page, click the "Check Status" link. You'll see
> something similar to the code snippet below. (...) Once you find the code
> snippet, copy and paste it into your web page, just before the closing
> </head> tag.
> All of this will be a show stopper for CSP. I think we have to start working
> with the web analytics vendors to 1) find working file-only solutions, and
> 2) write good tutorials on how to get file-only web analytics working.. We
> might be successful since developers in general consider this "paste the
> JavaScript into your page" practice quite ugly.
> Thoughts?
>    Regards, John
> --
> John Wilander, https://twitter.com/johnwilander
> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
> Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
> My music http://www.johnwilander.com
Received on Wednesday, 8 June 2011 17:26:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:26 UTC