W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

[CSP] Request to amend bookmarklet/extensions sentence in CSP1.1

From: Gregory Huczynski <gh_online@me.com>
Date: Tue, 15 Jul 2014 08:47:11 +0100
Message-id: <693A2D35-4AF9-44B5-AA3D-237CD39146BF@me.com>
To: public-webappsec@w3.org
Hi there,

Having read through the latest CSP 1.1 working draft, I would like to propose that the sentence referring to bookmarklets and third-party additions is reverted back to its original CSP 1.0 form.

Specifically, the sentence:

"Note: User agents may allow users to modify or bypass policy enforcement through user preferences, bookmarklets, third-party additions to the user agent, and other such mechanisms.
http://www.w3.org/TR/CSP11/#processing-model

is reverted back to:

Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets."
http://www.w3.org/TR/2012/CR-CSP-20121115/#processing-model

I understand that the change to the new 1.1 form was a consensus decision, with multiple discussions on the webappsec mailing list and github in February/March. For reference, I have collated the relevant communications below. It appears that: 1 person requested the change and strongly argued for it, 1 agreed, 2 others agreed on the grounds that a "standard have no business with UI-level features", and 16 argued against it.

The new sentence in CSP 1.1 weakens the position of user-installed bookmarklets and browser extensions, by opening the possibility that they are subject to a page author's content security policy. Makers of such bookmarklets and extensions should have an opportunity to reply.

There was no input to the consensus decision from any individuals or companies who make popular bookmarklets or extensions - who would like a say on this change if they were aware of it. I will be making such individuals and companies aware of the CSP 1.1 draft, such that they have an opportunity to comment before the deadline closes on 13 August 2014.

Below follows a fuller explanation of why the sentence should revert to the 1.0 version, and a collation of related communications so far.

Kind regards

Gregory Huczynski


Fuller explanation

If the user installs bookmarklets or extensions to act on their behalf, they should not be affected by a page author's content security policy. This would reflect the "Priority of Constituencies" (http://www.w3.org/TR/html-design-principles/#priority-of-constituencies) which places the rights and concerns of users ahead of content authors.  The original CSP 1.0 sentence definitively constrains the scope of a content author's page security policy: the policy should not affect the operation of user-installed third-party additions.

The new CSP 1.1 sentence is a far weaker guideline. It opens the possibility that user-installed third-party additions can be subject to a page author's content security policy, depending on user agent. This does not reflect the "Priority of Constituencies", raises the possibility that a content author ultimately decides what user-installed bookmarklets and extensions can operate on their pages, and makes it harder to raise bugs against user-agents that aim for W3C CSP conformance.

Various services exist that offer users the ability to augment, transform or interact with any page on the www: functionality like page translation, bookmarking, and reformatting. They provide functionality in the form of bookmarklets and browser extensions - which millions of users have chosen to install and use every day. These services are now starting to fail on various web-sites with a content security policy. The bookmarklets/extensions use script/style/iframe https injection to function, and Firefox and Chrome are now blocking this behaviour - they are applying a web-page’s whitelisted-origin policy. Bugs have been raised against these browsers [1][2], and the definitive language in CSP 1.0 provided a strong case for this behaviour to be fixed. The new CSP 1.1 wording does not require this behaviour to be treated as a user-agent bug, according to the standard. It therefore brings into question the long-term viability of such cross-website services that depend on this technical bookmarklet/extension approach. It also raises uncertainty over innovation in cross-website services.

For the sake of the millions of users who trust and gain value from cross-website bookmarklets and extensions, we should put their existence on a definitive footing and return to the original CSP 1.0. sentence. 

For reference:
[1] Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=866522
[2] Chrome bug: https://code.google.com/p/chromium/issues/detail?id=233903


Collation of related communications

2013-09-25.
Bug opened: 'Subverting CSP policies for browser add-ons'
https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357

2014-01-27
'CSP formal objection' email thread:
http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0165.html

2014-01-29
Entire bookmarklet sentence is removed from CSP 1.1 draft
https://github.com/w3c/webappsec/commit/cbfaa8edfadebf21a9c7428242c12e45934d8c55
Github commit references public-webappsec email:
http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0165.html

2014-02-22
'Removal of the note about extensions' email thread
http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0098.html
Final email:
http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0005.html

2014-02-26
WebAppSec WG Teleconference 26-Feb-2014 minutes:
http://www.w3.org/2014/02/26-webappsec-minutes.html

2014-02-27
Bookmarklet sentence added back, as a weak guideline.
https://github.com/w3c/webappsec/commit/73963d509b20513a6f42b1e0839715aca8b578b0
Received on Tuesday, 15 July 2014 07:47:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC