- From: Fred Andrews <fredandw@live.com>
- Date: Wed, 17 Oct 2012 10:49:46 +0000
- To: Dan Veditz <dveditz@mozilla.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <BLU002-W7522A86588EE938D7456E0AA770@phx.gbl>
Hi Dan, Just to clarify, when reporting is required the server can depend on the absence of a report when it trips its own policy to signal that the UA has not implemented the policy. If reporting is opt-in the server can not depend on the absence of a report to signal that the UA has not implemented a policy - it could just indicate that the UA has decided not to send the report. cheers Fred > Date: Tue, 16 Oct 2012 18:35:10 -0700 > From: dveditz@mozilla.com > To: fredandw@live.com > CC: public-webappsec@w3.org > Subject: Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in? > > On 10/16/12 3:36 PM, Fred Andrews wrote: > > CSP 1.0 required a UA to submit a report when requested by the server > > and thus that a server could depend on this. > > Servers can't rely on anything. The client might not support CSP at all. > The client might partially support a non-standard predecessor of the > approved CSP spec (e.g. Firefox 4). The user might have turned off CSP > support. > > CSP cannot be relied on to turn an insecure site into a secure site; the > site author still must strive to make their site secure. CSP provides a > syntax by which a server can specify constraints it expects its content > to follow so that a UA can provide some backup defense in depth in the > face of bugs or attacks. But servers absolutely cannot rely on the > client doing this. > > In the most trivial of examples: even if the client fully enforces the > spec with no user modifications, if the content is not served over SSL > the CSP policy itself might be stripped from the content before it > reaches the client. The server should not rely on reports. > > -Dan Veditz >
Received on Wednesday, 17 October 2012 10:50:17 UTC