W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in?

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 17 Oct 2012 09:17:35 -0700
Message-ID: <CAJE5ia-hre4CA2zuE9hgW1F-uRz=-C0ttaGtdmTvSzVXqUMfZA@mail.gmail.com>
To: Fred Andrews <fredandw@live.com>
Cc: Dan Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
What servers can depend on relates to what's implemented by popular
user agents, not what the spec requires.

Adam


On Wed, Oct 17, 2012 at 3:49 AM, Fred Andrews <fredandw@live.com> wrote:
> Hi Dan,
>
> Just to clarify, when reporting is required the server can depend on the
> absence
> of a report when it trips its own policy to signal that the UA has not
> implemented
> the policy.   If reporting is opt-in the server can not depend on the
> absence of
> a report to signal that the UA has not implemented a policy - it could just
> indicate
> that the UA has decided not to send the report.
>
> cheers
> Fred
>
>> Date: Tue, 16 Oct 2012 18:35:10 -0700
>> From: dveditz@mozilla.com
>> To: fredandw@live.com
>> CC: public-webappsec@w3.org
>> Subject: Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in?
>
>>
>> On 10/16/12 3:36 PM, Fred Andrews wrote:
>> > CSP 1.0 required a UA to submit a report when requested by the server
>> > and thus that a server could depend on this.
>>
>> Servers can't rely on anything. The client might not support CSP at all.
>> The client might partially support a non-standard predecessor of the
>> approved CSP spec (e.g. Firefox 4). The user might have turned off CSP
>> support.
>>
>> CSP cannot be relied on to turn an insecure site into a secure site; the
>> site author still must strive to make their site secure. CSP provides a
>> syntax by which a server can specify constraints it expects its content
>> to follow so that a UA can provide some backup defense in depth in the
>> face of bugs or attacks. But servers absolutely cannot rely on the
>> client doing this.
>>
>> In the most trivial of examples: even if the client fully enforces the
>> spec with no user modifications, if the content is not served over SSL
>> the CSP policy itself might be stripped from the content before it
>> reaches the client. The server should not rely on reports.
>>
>> -Dan Veditz
>>
Received on Wednesday, 17 October 2012 16:18:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 17 October 2012 16:18:37 GMT