Feedback on the Content Security Policy 1.0 from Fred Andrews on 2012-09-10 (public-webappsec@w3.org from September 2012)

From: Fred Andrews <fredandw@live.com>
Date: Mon, 10 Sep 2012 14:35:28 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <BLU002-W223F4E2E2095582E33062E5AAAC0@phx.gbl>
Please see below for comments on the Content Security Policy 1.0.

* "Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application restrict from where the application can load resources."

The application runs on users personal computers and they can choose to interpret these directives as they please so the wording appears rather disingenuous.  Could I suggest:

"Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client from where the application needs to load resources."


* "To mitigate XSS, for example, a web application can restrict itself to loading scripts only from known, trusted URIs, making it difficult for an attacker who can inject content into the web application to inject malicious script."

Could I suggest:

"To mitigate XSS, for example, a web application can declare from where is needs to load scripts allowing the client to detect and block an attacker who can inject content into the web application to inject malicious script."


* "The term security policy, or simply policy, for the purposes of this specification refers to either:
    a set of security preferences for restricting the behavior of content within a given resource, or
    a fragment of text that codifies these preferences."

Could I suggest:
"The term resource restrictions policy, or simply policy, for the purposes of this specification refers to either:  a set of resource restrictions within with the content can operate, or a fragment of text that codifies these restrictions."


* "A server transmits its security policy for a particular protected resource as a collection of directives, such as default-src 'self', each of which controls a specific set of privileges for that protected resource as instantiated by the user agent. More details are provided in the directives section."

The information being sent has nothing to do with the server security. The server can not implement its security at the client.  The information is in no way capable of controlling a set of privileges on the server or the client.  This wording is very confusing.  Could I suggest:

"A server transmits the resource restrictions policy for a particular resource as a collection of directives, such as default-src 'self', each of which declares a specific set of restrictions for that resource as instantiated by the user agent.  More details are provided in the directives section."


* "Content-Security-Policy-Report-Only"

The reporting is a gross invasion of privacy, and simply fails to meet the technical reality that the client is in command and the CSP is advisory.  A client may have good reason in normal operation for operating outside the restrictive set of resources needed by the web application.  If there is any reporting then it should be to the user at the client to inform them about applications operating outside their declared resource needs.  Any feedback reports should be opt-in.


The approach the proposal takes fails to take into account extensions run on the client that modify and manipulate the application document.  Until there is a comprehensive solution that takes this reality into account this proposal is applicable only to a subset of locked down clients and thus it does not appear worthy of standardization at this stage.

There are some interesting ideas in this proposal and I suggest trying to recover some of these by changing the approach to communicating the restrictions within which an application can operate.  Clients could also use such information to give users a risk assessment of an application - for example an application that does not require JS would be a much lower risk, applications that are not contacting third parties or do not store long term cookies could be rated as more private, applications that use only https could be rated as more secure, etc.  It would also allow clients to determine if applications will work under the restrictive settings that they have set.  There seems to be scope for a much more positive contribution here, and it needs to take into account client extensions which could be a difficult issue to resolve.

cheers
Fred
Received on Monday, 10 September 2012 14:35:58 UTC