W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP and web analytics

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 8 Jun 2011 20:26:52 +0100
Message-ID: <BANLkTimVYzTnQWBbkWgkAUPy5Y8iwcaD=Q@mail.gmail.com>
To: John Wilander <john.wilander@owasp.org>
Cc: public-web-security@w3.org
On 8 June 2011 12:19, John Wilander <john.wilander@owasp.org> wrote:

> To get ready for Content Security Policy in production organizations have
> to get JavaScript guidelines in place stating no inline JavaScript, only
> JavaScript in files. That's fine for in-house developers but I'm starting to
> get worried about web analytics tools such as Omniture SiteCatalyst and
> Google Analytics. These are very popular out there and the decision to use
> them are typically made by managers closer to money than the security
> department typically is.
>

As I see it there are two problems a) Sites will wrongly implement a CSP
policy with inline enabled (xss protection off) to make analytics work
rather that put them in a separate file. b) The analytics on the page will
be abused to log their xss attacks without using another external server.
Both break CSP at the core IMO and unless an alternative method is developed
to handle inline script then it drastically reduces CSP effectiveness.
Received on Wednesday, 8 June 2011 19:27:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC