W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: Unofficial Draft of Content Security Policy

From: Terri Oda <terri@zone12.com>
Date: Thu, 24 Mar 2011 00:09:09 -0400
Message-ID: <4D8AC3E5.9030300@zone12.com>
To: Brandon Sterne <bsterne@mozilla.com>
CC: Collin Jackson <collin.jackson@sv.cmu.edu>, "public-web-security@w3.org" <public-web-security@w3.org>
So, I went around asking some random security folk, web folk, and a 
couple of sysadmins.  Maybe 10-15 people in total.  Pretty much all of 
them felt that (b) was the better option for various reasons: usability 
confusion on the part of users/developers, increased support costs, more 
intuitive behaviour ("if there's no policy then none should be 
enforced"), etc.

I work in a security lab with quite a lot of human factors/usability 
work going on so we've spent a lot more time than average watching users 
fail or succeed at security-related tasks, but even those people not 
affiliated with my lab said it sounded like a usability and 
comprehension disaster to fail closed in this case.

(Two people also had a little rant about how frustrating they found the 
behaviour with respect to self-signed SSL certificates in Firefox, which 
I thought was interesting that this brought that choice to mind.)

Brandon Sterne wrote:
> On 03/08/2011 09:43 AM, Brandon Sterne wrote:
>   
>> 1. As the document notes, there is still an unresolved issue over what
>> to do with an empty policy: a) most restrictive, or b) most permissive.
>>  Mozilla felt that a) was preferable because it allows us to "fail
>> closed", something we tried to do consistently throughout the model.  We
>> also wanted to "fail early and fail hard" so that it is obvious to the
>> developer that something has gone horribly wrong.  When every image,
>> script and stylesheet fails to load in a resource it's fairly obvious :-)
>>
>> Can you make a case for why b) is preferable?
>>     
>
> Going back, I see you made a fairly compelling case for b) here:
> http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0098.html
>
> I'm torn myself.  What do others think?
>
> -Brandon
>
>
>   
Received on Thursday, 24 March 2011 04:09:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 24 March 2011 04:09:41 GMT