Re: CSP formal objection. from Mike West on 2014-02-04 (public-webappsec@w3.org from February 2014)

From: Mike West <mkwst@google.com>
Date: Tue, 4 Feb 2014 15:59:00 +0100
To: Brad Hill <hillbrad@gmail.com>, Glenn Adams <glenn@skynav.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=dnBQ_rAbC3+kejRmCaVZ2A9fyfH_5fz4uf9ypZ4rZOfg@mail.gmail.com>

On Mon, Feb 3, 2014 at 9:38 PM, Brad Hill <hillbrad@gmail.com> wrote:

> Since we all agree about the PoC, but could argue for another few months
> about what exactly it means, would everyone be able to live with the
> following text:
>

For the record, it sounds like Mozilla and Google are on the same page
regarding what the PoC means in this context. Both vendors are on record
claiming that the sentence I removed ("SHOULD NOT") accurately reflects
their implementation intentions.

As far as I know, IE doesn't have extensions per se. Opera does, and their
implementation is Chrome's (Blink's) implementation. Apple is the only
vendor shipping CSP that hasn't weighed in.

Relevantly, the WG polled its participants on this question back in
September 2013[1], and the response was quite negative to the question as
to whether "We should make changes to core CSP 1.1 behavior (including
possibly specifying a new directive about user script) as requested by Bug
23357?" It appears that Cox was the only positive vote on that poll. Brad,
please correct me if I missed additional votes.

"When considering interactions between a resource's policy and
> user-initiated changes to that resource, for example through extension
> mechanisms or bookmarklets, user agent implementors SHOULD take into
> account the HTML5 Priority of Constituencies (link) when determining
> whether to enforce or report on a policy violation that would be generated
> by such changes."
>

If including something fluffy like this resolves the discussion, brilliant.
Otherwise, I don't see any impact to be had from including it.

As a implementer, if we say something in the spec about vendor-specific
extension mechanisms, I'd prefer to say that they should bypass a page's
CSP (or, perhaps something along the lines of Brian's suggestion, that
authors should not rely on the user agent to block extensions).

As an editor, I don't think saying that in the spec is essential, however,
as the topic is vendor-specific, and won't have normative impact one way or
the other.

-mike

[1]: http://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0086.html

Received on Tuesday, 4 February 2014 14:59:49 UTC