RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid probing and to avoid content being written to depend on CSP. from Fred Andrews on 2012-09-14 (public-webappsec@w3.org from September 2012)

From: Fred Andrews <fredandw@live.com>
Date: Fri, 14 Sep 2012 00:46:16 +0000
To: Adam Barth <w3c@adambarth.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <BLU002-W19868FEA5D6CA44D622129EAA900@phx.gbl>

> From: w3c@adambarth.com
> Date: Thu, 13 Sep 2012 08:46:30 -0700
> Subject: Re: CSP 1.0: relaxing mandated enforcing and monitoring to avoid probing and to avoid content being written to depend on CSP.
> To: fredandw@live.com
> CC: public-webappsec@w3.org
> 
> It's not a security or privacy problem to make UA features detectable.

Browser fingerprinting exploits information about the UA to identify users, see: https://en.wikipedia.org/wiki/Device_fingerprint


Fingerprinting is a privacy issue because it identifies users and this can be used for
tracking etc.  Privacy is a concern for many users, so fingerprinting is a concern for
many users.

>  In fact, that's commonly a goal of new features.  In CSP 1.1, we plan
> to add an explicit mechanism for the server to detect which CSP
> features the UA supports.

Is there a compelling need for the server to be able to detect CSP?

I suggest removing this mechanism for detecting CSP features.
 
> If you follow your line of reason, then all UA requirements in all
> specs would be downgraded from MUST to SHOULD.  That's not how we
> write specs in the W3C.  The important thing to realize is that UAs
> are not required to implement CSP at all.  The requirements in the
> spec apply only if the UA chooses to implement CSP.  If a UA does
> implement CSP, the UA MUST do various things, including actually
> enforcing the policies.

Specs have different purposes.  Some specs are written for interoperability
and may really need MUST specified.  However the CSP is a protection
mechanism implemented by the UA, and it need not impact  the server
which features, if any, the UA decides to implement.

Perhaps the spec could be reworded as "for the UA to take full advantage
of the content restrictions declared by the server it MUST ..."  This gives
the UA room to not implement all checks with the knowledge that it would
not be taking advantage of all restrictions.  Such wording may help ensure
that compatible servers and content is not written to depend on the UA
checking and reporting all declared restrictions.

Consider the reporting.  We want the UA to send a report in the correct
format so 'MUST' is appropriate for the report format.  However, users may
have a privacy concern about the reporting and wish to disable it and this
need have no impact on the server so this could be SHOULD or MAY.

cheers
Fred

Received on Friday, 14 September 2012 00:46:44 UTC