W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

RE: CSP 1.0: Are UAs permitted to implement reporting as opt-in?

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 16 Oct 2012 22:58:14 +0000
To: Fred Andrews <fredandw@live.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2A08D0@DEN-EXDDA-S12.corp.ebay.com>
The current spec requires reporting for a user agent to claim a conformant implementation.

A user agent, plugin or proxy could certainly provide a means for users to control this behavior.  Many user agents have long provided the ability to, e.g. turn off loading of images, css or script, override page-specified fonts and colors, or disable cookies, and they could choose to do so for CSP or sub-features of CSP.

It is not traditional for these specifications to speak directly to such options as:


1)      Whether and how to provide these controls is at the prerogative of the user and their user agent

2)      A user agent so configured is not providing a compliant implementation of those specifications - it is opting out of doing so

Reporting and feedback is a core feature of and use case for CSP.  I don't think there has been any interest expressed by members of the WG to make it optional for compliance purposes.  I have similarly seen little or no interest by implementers in making it opt-in (vs opt-out) as CSP's reporting does not provide any qualitatively new functionality to resource authors (even with non-same origin reports) that hasn't been present since the introduction of JavaScript in 1995 - it only provides a declarative policy language to simplify their generation in a standard format.

-Brad Hill

From: Fred Andrews [mailto:fredandw@live.com]
Sent: Tuesday, October 16, 2012 3:37 PM
To: public-webappsec@w3.org
Subject: CSP 1.0: Are UAs permitted to implement reporting as opt-in?

It would be appreciated if the WG could clarify if a browser conforming to CSP 1.0 is permitted to implement reporting as opt-in?

It was my understanding based on the decision of issue 11 and prior discussion on this list that CSP 1.0 required a UA to submit a report when requested by the server and thus that a server could depend on this.  However a recent response suggests this may not be the consensus.

cheers
Fred
Received on Tuesday, 16 October 2012 22:58:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 16 October 2012 22:58:44 GMT