W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Removal of the note about extensions

From: Mike \ <pomax@nihongoresources.com>
Date: Sat, 22 Feb 2014 12:30:54 -0800
Message-ID: <530908FE.50302@nihongoresources.com>
To: public-webappsec@w3.org
Hey all,

based on 
https://github.com/w3c/webappsec/commit/cbfaa8edfadebf21a9c7428242c12e45934d8c55 
I can't help but also jump in on this topic; as a user of the web, a 
developr, and someone who cares about freedom the change implemented in 
said commit has me sitting back in amazement (and an initial furious 
anger over the audacity to suggest this removal, since abated a little 
because writing an email in anger usually leads to rather poor writing) 
over the fact that we're collectively okay with the notion that a 
website should be allowed to force a browser to lock a user out of the 
web as an "I choose how to consume this" medium.

The change in the linked commit yields a universal specification that 
would, in its modified form, ends the web as we know it today. Rather 
than explicitly allowing users to overrule CSP and the default browser 
behaviour, this spec would allow browsers to tell users that they have 
no choice but to obey the decision that a website has made for them. 
This isn't the web we built, and shouldn't be the web we want. No matter 
how much a website knows about security, it should never be in control 
of the browser. At best, it should tell the browser what it would like 
to have happen, with the user explicitly holding the power to override 
any decisions made.

While I understand Mike West's comments that this change should not be 
taken to mean Blink will be doing this, it should also be noted that 
it's not about whether Blink, specifically, will do so. It's about the 
specification, with this modification, allowing any browser maker to do 
so, whether anyone working on that browsers says they will or not. There 
is no protection in the spec from Mike or the Blink team as a whole, or 
even the Microsoft or Mozilla to change their mind and go "well the spec 
allows it, and we think it's a good idea, so we're going to do this 
now". The text has changed from placing the user in ultimate control, to 
placing the website owners in ultimate control.

This is, let's face it, a little insane =)

I'd like to recommend a change instead to "Processing Model [...] A user 
agent MUST allow users a mechanism to override any aspect of the policy, 
e.g. via user agent settings or user-installed add-ons" simply because 
this is how browsers should work. Ultimately, the user has the final 
say, not the CSP, and not the website dictating the CSP. The original 
phrasing using "user-installed scripts" invites debate over what 
"user-installed" means, as well as what qualifies as "script". In order 
to avoid ambiguity (is an add-on a script? Probably not, but it's 
unclear. Is a bookmarklet "installed"? Maybe, but again, way too 
unclear) I've changed the phrasing to simply state the user must have an 
override mechanism. Removing ambiguity is excellent (the goal is of 
course a clear spec), but let's put back some text that makes the user 
the ultimate authority.

Finally, based on Devdatta's comment on github, I'd like to remind 
people that a w3c mailing list is a little bit of a bubble: those living 
in it, and participating on it, can easily forget that there is an 
entire world out there with strong opinions about the decisions being 
made, without a way to voice those opinions. The fact that people sign 
up specifically to object to something should be an incredibly strong 
signal that something is wrong, given how much people have no desire to 
join mailing lists just to say one thing and then leave again.

- Mike "Pomax" Kamermans
Received on Saturday, 22 February 2014 20:33:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC