RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid from Erlend Oftedal on 2012-09-14 (public-webappsec@w3.org from September 2012)

From: Erlend Oftedal <eoftedal@gmail.com>
Date: Fri, 14 Sep 2012 15:04:02 -0700
To: Fred Andrews <fredandw@live.com>, Adam Barth <w3c@adambarth.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <-1533523990410582167@unknownmsgid>

But couldn't the server still treat the absence of a request as a trigger
of CSP.

Erlend
------------------------------
From: Fred Andrews
Sent: 14.09.2012 17:12
To: Erlend Oftedal; Adam Barth
Cc: public-webappsec@w3.org
Subject: RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid

> From: eoftedal@gmail.com
> Date: Thu, 13 Sep 2012 22:12:44 -0700
> To: fredandw@live.com; w3c@adambarth.com
> CC: public-webappsec@w3.org
> Subject: RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid
...
> But is there really a way of removing the possibility of detecting if
> CSP is implemented? The website could always just have the browser
> visit some pages with CSP enabled and see which requests come through.

Yes, if the reporting is opt-in and violations are reported to the user and
cause
the embedded widget to halt.   Servers would not be able to probe using the
report-only
return channel, and content that tried to trip its own restrictions to
probe the clients
implementation could be detected by the client and alert the user or be
inhibited.

cheers
Fred

Received on Friday, 14 September 2012 22:04:30 UTC