Content Security Policy reports in Google+ from Henry Wong on 2013-07-22 (public-webappsec@w3.org from July 2013)

From: Henry Wong <henrywong@google.com>
Date: Mon, 22 Jul 2013 17:30:40 +0200
To: public-webappsec@w3.org
Cc: Jad Boutros <jad@google.com>, Mike West <mkwst@google.com>, Mark Knichel <mknichel@google.com>
Message-ID: <CALMso=+Pj6QfcDfhaD_3acKyCo5Fej5JiRUTaQ8Rn+SxGEXCJw@mail.gmail.com>

Hi,

I've been working on using CSP to detect XSS worms in Google+. Mike West
thought it would be helpful if I shared my experience so far.

As background: Our plan is to use CSP in "report-only" mode - we do not
ever plan on enabling blocking. We would like to perform some automated
analysis on the number and content of the CSP reports in order to check for
strange occurrences. Unfortunately, we seem to be running into a couple of
snags.

1) The blocked-uri field in the CSP report is not specific enough for our
uses. For example, the most popular blocked-uri on Google+ is
https://cdncache1-a.akamaihd.net - I have no idea what the actual file is
so it's very hard to act on this information.

2) We get a ton of reports from sources loaded by Chrome extensions. Mike
mentioned that he's been working on fixing these but they still fill up our
logs. Because of issue #1 it's difficult to determine the Chrome extension
that is causing the problems; this makes reproducing the problem difficult.

>From reading the docs it doesn't sound like web pages are intended to stay
in "reporting mode"; it mostly sounds like it's intended as a debugging
tool until CSP is used for blocks. Is this correct? In general any advice
or feedback would be great.

Thanks
Henry

Received on Wednesday, 24 July 2013 17:08:56 UTC