Re: Keeping sandbox directive in CSP 1.0 from Adam Barth on 2012-05-25 (public-webappsec@w3.org from May 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 24 May 2012 17:54:23 -0700
To: Tanvi Vyas <tanvi@mozilla.com>
Cc: Travis Leithead <travis.leithead@microsoft.com>, Jacob Rossi <Jacob.Rossi@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adrian Bateman <adrianba@microsoft.com>
Message-ID: <CAJE5ia-YPrtcOtJr19h4TB0pzqGjghkfNPRw0vBSyUXHrvhe0g@mail.gmail.com>

On Thu, May 24, 2012 at 5:34 PM, Tanvi Vyas <tanvi@mozilla.com> wrote:
> According to the current CSP 1.0 specification, being conformant to the spec
> requires supporting all of the specified directives.  Since no two browsers
> currently support all the directives, it is not clear that it's feasible for
> any user agent to be conformant.  We believe that having two browsers be
> totally conformant to CSP 1.0 is the right approach for developers, so that
> they know that a browser claiming to support CSP provides all of the
> directives in the 1.0 spec.

According to the working group's charter
<http://www.w3.org/2011/08/appsecwg-charter.html>, we need only two
independent implementations of each feature described in the
specification, not of the entire specification:

---8<---
To advance to Proposed Recommendation, each specification is expected
to have two independent implementations of each feature described in
the specification.
--->8---

Moreover, we haven't even issued a Call for Implementations yet
<http://www.w3.org/2005/10/Process-20051014/tr#cfi>.  According to W3C
process, we don't issue a Call for Implementations until the document
has reached the Candidate Recommendation.

We're discussing advancing this document to Working Group Last Call
<http://www.w3.org/2005/10/Process-20051014/tr#last-call>, which
carries has no implementation requirements, either from our charter
for from the W3C process.

> In order to put the sandbox directive in 1.0, we would need to change the
> conformance text to no longer require support for all directives.

That's not correct.  The document merely forbids anyone from claiming
they have a conforming implementation unless they implement all the
features.

> Mozilla does not support changing this text since developers will be unsure what
> compliance with the specification means for different user agents.

That's fine, but don't see any reason why having that text in the
document prevents the document from advancing to Working Group Last
Call.

> In addition, we believe it is a little late to introduce this into 1.0.  The
> issue tracker currently has no open CSP issues, implying that the spec is
> ready for Last Call, and hence not the time to add a new directive.

It's hardly a new directive.  We've been discussing it for months.  In
fact, the sandbox directive has been present in the document since
this working group issued it as a FPWD on 29 November 2011, roughly
six months ago:

http://www.w3.org/TR/CSP/#sandbox

Adam


> On 5/15/12 2:17 PM, Travis Leithead wrote:
>
> During the Face-to-face, I failed to realize that there were already two
> interoperable implementations of this, which (as Phillipe mentioned) would
> allow the 1.0 spec to advance to CR even with sandbox support. I understand
> that this was one of the concerns brought up when discussing this.
>
>
>
> From: Jacob Rossi [mailto:Jacob.Rossi@microsoft.com]
> Sent: Tuesday, May 15, 2012 1:27 PM
> To: public-webappsec@w3.org
> Cc: Adrian Bateman
> Subject: Keeping sandbox directive in CSP 1.0
>
>
>
> Hi folks,
>
>
>
> Since it's our off week for a telecon, I wanted to continue our discussion
> about the sandbox directive staying in the 1.0 spec (rather than postponing
> to 1.1).
>
>
>
> Microsoft believes that the HTML5 Sandbox feature is incomplete without a
> corresponding server side mechanism for enforcing sandbox restrictions.  As
> an example, this is impactful for scenarios where a page is normally hosted
> in a sandboxed iframe but the somehow the user is misled to navigate
> directly to the content (escaping the iframe sandbox).
>
>
>
> We believe this feature is ready and stable for web developers to start
> using today. Keeping it in the 1.0 spec codifies that and helps us encourage
> web developers to use the feature to further secure their site, quelling
> fears by web developers of the feature changing out from under them. At TPAC
> and in previous telecons, we've discussed whether this should be in the 1.0
> spec before--consensus at the time was to include it in 1.0.
>
>
>
> We do not see any technical or procedural reason that would warrant delaying
> this useful feature. There currently are no open technical issues on how the
> feature works, we have good spec text for the description, and there are two
> interoperable implementations (webkit and IE10).
>
>
>
> We think it's best for the Web that the sandbox directive stay in the 1.0
> spec. There were a couple folks who disagreed with that on our last call, so
> I'd like to continue that discussion so that we can come to a true
> resolution on this issue.
>
>
>
> Thanks,
>
>
>
> Jacob
>
>
>
>
>

Received on Friday, 25 May 2012 00:55:25 UTC