- From: Mike \ <pomax@nihongoresources.com>
- Date: Sat, 22 Feb 2014 12:30:54 -0800
- To: public-webappsec@w3.org
Hey all, based on https://github.com/w3c/webappsec/commit/cbfaa8edfadebf21a9c7428242c12e45934d8c55 I can't help but also jump in on this topic; as a user of the web, a developr, and someone who cares about freedom the change implemented in said commit has me sitting back in amazement (and an initial furious anger over the audacity to suggest this removal, since abated a little because writing an email in anger usually leads to rather poor writing) over the fact that we're collectively okay with the notion that a website should be allowed to force a browser to lock a user out of the web as an "I choose how to consume this" medium. The change in the linked commit yields a universal specification that would, in its modified form, ends the web as we know it today. Rather than explicitly allowing users to overrule CSP and the default browser behaviour, this spec would allow browsers to tell users that they have no choice but to obey the decision that a website has made for them. This isn't the web we built, and shouldn't be the web we want. No matter how much a website knows about security, it should never be in control of the browser. At best, it should tell the browser what it would like to have happen, with the user explicitly holding the power to override any decisions made. While I understand Mike West's comments that this change should not be taken to mean Blink will be doing this, it should also be noted that it's not about whether Blink, specifically, will do so. It's about the specification, with this modification, allowing any browser maker to do so, whether anyone working on that browsers says they will or not. There is no protection in the spec from Mike or the Blink team as a whole, or even the Microsoft or Mozilla to change their mind and go "well the spec allows it, and we think it's a good idea, so we're going to do this now". The text has changed from placing the user in ultimate control, to placing the website owners in ultimate control. This is, let's face it, a little insane =) I'd like to recommend a change instead to "Processing Model [...] A user agent MUST allow users a mechanism to override any aspect of the policy, e.g. via user agent settings or user-installed add-ons" simply because this is how browsers should work. Ultimately, the user has the final say, not the CSP, and not the website dictating the CSP. The original phrasing using "user-installed scripts" invites debate over what "user-installed" means, as well as what qualifies as "script". In order to avoid ambiguity (is an add-on a script? Probably not, but it's unclear. Is a bookmarklet "installed"? Maybe, but again, way too unclear) I've changed the phrasing to simply state the user must have an override mechanism. Removing ambiguity is excellent (the goal is of course a clear spec), but let's put back some text that makes the user the ultimate authority. Finally, based on Devdatta's comment on github, I'd like to remind people that a w3c mailing list is a little bit of a bubble: those living in it, and participating on it, can easily forget that there is an entire world out there with strong opinions about the decisions being made, without a way to voice those opinions. The fact that people sign up specifically to object to something should be an incredibly strong signal that something is wrong, given how much people have no desire to join mailing lists just to say one thing and then leave again. - Mike "Pomax" Kamermans
Received on Saturday, 22 February 2014 20:33:51 UTC