RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid from Fred Andrews on 2012-09-14 (public-webappsec@w3.org from September 2012)

From: Fred Andrews <fredandw@live.com>
Date: Fri, 14 Sep 2012 15:11:57 +0000
To: Erlend Oftedal <eoftedal@gmail.com>, Adam Barth <w3c@adambarth.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <BLU002-W58D34FE5F7075F70355094AA900@phx.gbl>

> From: eoftedal@gmail.com
> Date: Thu, 13 Sep 2012 22:12:44 -0700
> To: fredandw@live.com; w3c@adambarth.com
> CC: public-webappsec@w3.org
> Subject: RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid
...
> But is there really a way of removing the possibility of detecting if
> CSP is implemented? The website could always just have the browser
> visit some pages with CSP enabled and see which requests come through.

Yes, if the reporting is opt-in and violations are reported to the user and cause
the embedded widget to halt.   Servers would not be able to probe using the report-only
return channel, and content that tried to trip its own restrictions to probe the clients
implementation could be detected by the client and alert the user or be inhibited.

cheers
Fred

Received on Friday, 14 September 2012 15:12:33 UTC