W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid

From: Fred Andrews <fredandw@live.com>
Date: Fri, 14 Sep 2012 15:11:57 +0000
Message-ID: <BLU002-W58D34FE5F7075F70355094AA900@phx.gbl>
To: Erlend Oftedal <eoftedal@gmail.com>, Adam Barth <w3c@adambarth.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>





> From: eoftedal@gmail.com
> Date: Thu, 13 Sep 2012 22:12:44 -0700
> To: fredandw@live.com; w3c@adambarth.com
> CC: public-webappsec@w3.org
> Subject: RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid
...
> But is there really a way of removing the possibility of detecting if
> CSP is implemented? The website could always just have the browser
> visit some pages with CSP enabled and see which requests come through.

Yes, if the reporting is opt-in and violations are reported to the user and cause
the embedded widget to halt.   Servers would not be able to probe using the report-only
return channel, and content that tried to trip its own restrictions to probe the clients
implementation could be detected by the client and alert the user or be inhibited.

cheers
Fred
Received on Friday, 14 September 2012 15:12:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 14 September 2012 15:12:33 GMT