Re: CSP 1.0: relaxing mandated enforcing and monitoring to avoid probing and to avoid content being written to depend on CSP. from Adam Barth on 2012-09-13 (public-webappsec@w3.org from September 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 13 Sep 2012 08:46:30 -0700
To: Fred Andrews <fredandw@live.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAJE5ia9G1J+u+dP81-=NPA_zyD5sa-2z+XKds_dioN2u=hhaiw@mail.gmail.com>

It's not a security or privacy problem to make UA features detectable.
 In fact, that's commonly a goal of new features.  In CSP 1.1, we plan
to add an explicit mechanism for the server to detect which CSP
features the UA supports.

If you follow your line of reason, then all UA requirements in all
specs would be downgraded from MUST to SHOULD.  That's not how we
write specs in the W3C.  The important thing to realize is that UAs
are not required to implement CSP at all.  The requirements in the
spec apply only if the UA chooses to implement CSP.  If a UA does
implement CSP, the UA MUST do various things, including actually
enforcing the policies.

Adam

On Thu, Sep 13, 2012 at 6:47 AM, Fred Andrews <fredandw@live.com> wrote:
> The CSP requirement that the UA MUST enforce the policies and MUST monitor
> them when so declared, combined with the required reporting, may have the
> unexpected consequence of allowing the server to probe the CSP capabilities
> of the client.  Further it would allow content to be written that depends on
> CSP for correct operation and this would not appear to be the intent of CSP.
>
> For example a server could declare reporting of various directives and
> deliberately trip these checks to have reports returned.  The presence or
> absence of these reports would leak capabilities of the UA back to the
> server.  This is a privacy and fingerprinting issue, and could even be used
> to refuse service to a UA with reporting disabled.
>
> Could I suggest changing the following uses of MUST to SHOULD or MAY to help
> avoid these issues.
>
> "Content-Security-Policy Header Field: ... Upon receiving an HTTP response
> containing at least one Content-Security-Policy header field, the user agent
> SHOULD enforce each of the policies contained in each such header field."
>
> "Content-Security-Policy-Report-Only Header Field: ... Upon receiving an
> HTTP response containing at least one Content-Security-Policy-Report-Only
> header field, the user agent SHOULD monitor each of the policies contained
> in each such header field."
>
> Making reporting opt-in would also address this matter.
>
> cheers
> Fred
>

Received on Thursday, 13 September 2012 15:47:30 UTC