W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2013

Re: Content Security Policy reports in Google+

From: Mike West <mkwst@google.com>
Date: Mon, 22 Jul 2013 17:39:43 +0200
Message-ID: <CAKXHy=f3uT=5esWDxMwWQj2Hsh6voczW86+zFQ9a6HLTV9xy0A@mail.gmail.com>
To: Henry Wong <henrywong@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Jad Boutros <jad@google.com>, Mark Knichel <mknichel@google.com>
On Mon, Jul 22, 2013 at 5:30 PM, Henry Wong <henrywong@google.com> wrote:

> Hi,
>
> I've been working on using CSP to detect XSS worms in Google+. Mike West
> thought it would be helpful if I shared my experience so far.
>

Thank you very much for sharing this feedback.


>  As background: Our plan is to use CSP in "report-only" mode - we do not
> ever plan on enabling blocking.
>

Why not? It seems like enabling blocking would be useful once you get the
number of reports down to a managable level.


> 1) The blocked-uri field in the CSP report is not specific enough for our
> uses. For example, the most popular blocked-uri on Google+ is
> https://cdncache1-a.akamaihd.net - I have no idea what the actual file is
> so it's very hard to act on this information.
>

One suggestion we discussed is to open up a bit more detail for resources
served with appropriate CORS headers. That is, treat cross-origin URLs as
same-origin URLs for the purposes of violation reports iff they allow the
reporting origin (or perhaps the origin to which the report is sent?)
access to the resource.


> 2) We get a ton of reports from sources loaded by Chrome extensions. Mike
> mentioned that he's been working on fixing these but they still fill up our
> logs. Because of issue #1 it's difficult to determine the Chrome extension
> that is causing the problems; this makes reproducing the problem difficult.
>

This is indeed a problem.


>  From reading the docs it doesn't sound like web pages are intended to
> stay in "reporting mode"; it mostly sounds like it's intended as a
> debugging tool until CSP is used for blocks. Is this correct? In general
> any advice or feedback would be great.
>

I'd certainly like to see report-only mode transitioning to enforcement, as
that provides more protection to users and developers. That said, there's
nothing mandatory about the transition. If reports alone are useful to you,
then feel free to continue reporting.

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Monday, 22 July 2013 15:40:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC