W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2014

Re: [CSP] Request to amend bookmarklet/extensions sentence in CSP1.1

From: Brad Hill <hillbrad@gmail.com>
Date: Sun, 3 Aug 2014 16:28:08 -0700
Message-ID: <CAEeYn8iJWQmcP0-qrgHy8JtHVJS4HHb+kc8uEvo7yxDEjemS=Q@mail.gmail.com>
To: Philip Constantinou <constantinou@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, Adam Barth <w3c@adambarth.com>, Daniel Veditz <dveditz@mozilla.com>
Philip,

  As the other WG co-chair, I do feel obligated somewhat to echo
what's been said:  There is no disagreement in this group or among
current implementers of CSP on the importance of the priority of
constituencies that makes the intent of the user paramount in how they
experience the web.  The CSP Level 2 spec uses non-normative language
to indicate this, in order to give user agents the most leeway in
accommodating user intent.  It is also the case that previous
normative language (SHOULD NOT) would be unlikely to survive to
Recommendation at this point, given the lack of implementations that
implement it consistently and successfully.

  But I do think there are also two issues here that we can and
perhaps should decompose: extensions/plugins versus bookmarklets

  Extensions and plugins are by their nature proprietary at this time.
I think it is likely that user agents will find a way to allow them to
work with Content Security Policy, but it is unlikely that a) they
will do so by simply allowing direct modification of the DOM with
injected script or b) that whatever mechanisms are employed will be
consistent across browsers, as the architectures of extension/plugin
technologies are user-agent specific.  The differences between the
internal architectures of Firefox and Chrome plugins, for example, are
profound, and neither is within the scope of the W3C.

  Bookmarklets are a slightly different case because a big part of
their value proposition is that they are "just javascript" and work in
a relatively uniform manner across all browsers.  I think what we need
here are proposals either for how to implement this in browsers
(submitted either to this group or directly to implementers, depending
on the specificity) or some specification language that works better
to allow users freedom and flexibility while still protecting them
from maliciously injected script.   e.g. can a browser distinguish
between a javascript: navigation that happened from a bookmark vs. one
that was an href or src attribute?  Another difficulty here is that
bookmarks, while almost universally supported in some form, aren't
formally specified or implemented in an interoperable and standard
fashion.

  Maybe we need a new Fetch context
(http://fetch.spec.whatwg.org/#requests) for activating a bookmark
that is more specific than "internal"?

  I'm happy to continue the discussion, but as it seems there are
other platform concepts either in HTML5 or Fetch that need more formal
definition in order for us to attempt normative language in CSP, I
think any such changes ought to be targeted to the next revision of
the CSP specification.

-Brad Hill


On Thu, Jul 31, 2014 at 6:30 PM, Philip Constantinou
<constantinou@gmail.com> wrote:
> Dear W3C CSP working group -
>
> Evernote voices our strong opposition to the wording changes regarding
> extensions and bookmarklets in CSP1.1 and our strong support of
>
> http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0061.html.
>
> Evernote provides a free web service to over 100 million users world wide.
> We also provide browser extensions for Google Chrome, Safari, Internet
> Explorer and Opera in addition to bookmarklets which are used on other user
> agents. Additionally, we have ongoing development efforts on several mobile
> browsers.
>
> For example, the Evernote Web Clipper for Chrome is a top rated free
> extension installed by over 3.4 million users.
>
> We've built these extensions for the express purpose of allowing users to
> capture and mark up content they find on the web. To create a great user
> experience, our extensions insert JavaScript into the viewers page upon user
> request. This mechanism risks being broken by the vague
> extension/bookmarklet wording change proposed in CSP 1.1.
>
> We strongly believe that users should be allowed to control their own
> experience on the web through a choice of browser and the use of browsers
> extensions. Changing the CSP specification in a way that limits browser
> extensions operates counter to the needs of users and limits companies like
> ours from making the web better for everyone.
>
> Thank you for your consideration -
>
>
> Philip Constantinou
>
> VP of Products
>
> Evernote
>
> remember everything
>
>
> ps. Sending this from my personal email address because the w3.org emailing
> list says evernote.com is blacklisted.
Received on Sunday, 3 August 2014 23:28:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC