W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in?

From: Dan Veditz <dveditz@mozilla.com>
Date: Tue, 16 Oct 2012 18:35:10 -0700
Message-ID: <507E0B4E.1010002@mozilla.com>
To: Fred Andrews <fredandw@live.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 10/16/12 3:36 PM, Fred Andrews wrote:
> CSP 1.0 required a UA to submit a report when requested by the server
> and thus that a server could depend on this.

Servers can't rely on anything. The client might not support CSP at all.
The client might partially support a non-standard predecessor of the
approved CSP spec (e.g. Firefox 4). The user might have turned off CSP
support.

CSP cannot be relied on to turn an insecure site into a secure site; the
site author still must strive to make their site secure. CSP provides a
syntax by which a server can specify constraints it expects its content
to follow so that a UA can provide some backup defense in depth in the
face of bugs or attacks. But servers absolutely cannot rely on the
client doing this.

In the most trivial of examples: even if the client fully enforces the
spec with no user modifications, if the content is not served over SSL
the CSP policy itself might be stripped from the content before it
reaches the client. The server should not rely on reports.

-Dan Veditz
Received on Wednesday, 17 October 2012 01:35:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 17 October 2012 01:35:38 GMT