W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid

From: Hill, Brad <bhill@paypal-inc.com>
Date: Fri, 14 Sep 2012 22:16:10 +0000
To: Fred Andrews <fredandw@live.com>, Erlend Oftedal <eoftedal@gmail.com>, Adam Barth <w3c@adambarth.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E265B5B@DEN-EXDDA-S12.corp.ebay.com>
Fred,

The rough consensus of folks at the W3C these days seems to be that, as currently built, tracking/fingerprinting is an almost inevitable and unavoidable consequence of the general-purpose web browser.  That's not a value judgment, just a statement of fact that's becoming more true every day.

That's why the Tracking Protection Working Group (http://www.w3.org/2011/tracking-protection/) is focusing on a policy-based solution rather than trying to make tracking technically impossible.

Users who seek to avoid the technical possibility that their browser will be fingerprinted really need to seek out a user agent that is specifically designed with that goal in mind.  Even if we surfaced to the user the option to disable reports, other parts, or all of CSP, it would only be a small part of a giant list of such opt-outs the user agent would need to provide for meaningful protection.  Such a list would be unapproachable by the average user, and just the act of customizing it would likely result in a browser that's even more uniquely identifiable than the one they started with.

We're not trying to shirk responsibility here, but it's just not a problem we can solve in this group, or even incrementally provide options that are meaningful to more than a vanishingly small fraction of users.

-Brad Hill

From: Fred Andrews [mailto:fredandw@live.com]
Sent: Friday, September 14, 2012 8:12 AM
To: Erlend Oftedal; Adam Barth
Cc: public-webappsec@w3.org
Subject: RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid


> From: eoftedal@gmail.com<mailto:eoftedal@gmail.com>
> Date: Thu, 13 Sep 2012 22:12:44 -0700
> To: fredandw@live.com<mailto:fredandw@live.com>; w3c@adambarth.com<mailto:w3c@adambarth.com>
> CC: public-webappsec@w3.org<mailto:public-webappsec@w3.org>
> Subject: RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid
...
> But is there really a way of removing the possibility of detecting if
> CSP is implemented? The website could always just have the browser
> visit some pages with CSP enabled and see which requests come through.

Yes, if the reporting is opt-in and violations are reported to the user and cause
the embedded widget to halt.   Servers would not be able to probe using the report-only
return channel, and content that tried to trip its own restrictions to probe the clients
implementation could be detected by the client and alert the user or be inhibited.

cheers
Fred
Received on Friday, 14 September 2012 22:16:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 14 September 2012 22:16:41 GMT