W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

CSP 1.0: relaxing mandated enforcing and monitoring to avoid probing and to avoid content being written to depend on CSP.

From: Fred Andrews <fredandw@live.com>
Date: Thu, 13 Sep 2012 13:47:08 +0000
Message-ID: <BLU002-W115B110B20311359B1BE444AA910@phx.gbl>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
The CSP requirement that the UA MUST enforce the policies and MUST monitor them when so declared, combined with the required reporting, may have the unexpected consequence of allowing the server to probe the CSP capabilities of the client.  Further it would allow content to be written that depends on CSP for correct operation and this would not appear to be the intent of CSP.

For example a server could declare reporting of various directives and deliberately trip these checks to have reports returned.  The presence or absence of these reports would leak capabilities of the UA back to the server.  This is a privacy and fingerprinting issue, and could even be used to refuse service to a UA with reporting disabled.

Could I suggest changing the following uses of MUST to SHOULD or MAY to help avoid these issues.

"Content-Security-Policy Header Field: ... Upon receiving an HTTP response containing at least one Content-Security-Policy header field, the user agent SHOULD enforce each of the policies contained in each such header field."

"Content-Security-Policy-Report-Only Header Field: ... Upon receiving an HTTP response containing at least one Content-Security-Policy-Report-Only header field, the user agent SHOULD monitor each of the policies contained in each such header field."

Making reporting opt-in would also address this matter. 

cheers
Fred

 		 	   		  
Received on Thursday, 13 September 2012 13:47:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 September 2012 13:47:40 GMT