Re: [CSP] Request to amend bookmarklet/extensions sentence in CSP1.1 from Glenn Adams on 2014-07-15 (public-webappsec@w3.org from July 2014)

From: Glenn Adams <glenn@skynav.com>
Date: Tue, 15 Jul 2014 07:53:31 -0600
To: Gregory Huczynski <gh_online@me.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CACQ=j+cQWftiO7_ek4Z_6GhRk=0YOmKYf0Em37UoTsGNZLhkRA@mail.gmail.com>
On Tue, Jul 15, 2014 at 1:47 AM, Gregory Huczynski <gh_online@me.com> wrote:

> Hi there,
>
> Having read through the latest CSP 1.1 working draft, I would like to
> propose that the sentence referring to bookmarklets and third-party
> additions is reverted back to its original CSP 1.0 form.
>
> Specifically, the sentence:
>
> "Note: User agents may allow users to modify or bypass policy enforcement
> through user preferences, bookmarklets, third-party additions to the user
> agent, and other such mechanisms.
> http://www.w3.org/TR/CSP11/#processing-model
>
> is reverted back to:
>
> Enforcing a CSP policy should not interfere with the operation of
> user-supplied scripts such as third-party user-agent add-ons and JavaScript
> bookmarklets."
> http://www.w3.org/TR/2012/CR-CSP-20121115/#processing-model
>
> I understand that the change to the new 1.1 form was a consensus decision,
> with multiple discussions on the webappsec mailing list and github in
> February/March. For reference, I have collated the relevant communications
> below. It appears that: 1 person requested the change and strongly argued
> for it, 1 agreed, 2 others agreed on the grounds that a "standard have no
> business with UI-level features", and 16 argued against it.
>
> The new sentence in CSP 1.1 weakens the position of user-installed
> bookmarklets and browser extensions, by opening the possibility that they
> are subject to a page author's content security policy. Makers of such
> bookmarklets and extensions should have an opportunity to reply.
>
> There was no input to the consensus decision from any individuals or
> companies who make popular bookmarklets or extensions - who would like a
> say on this change if they were aware of it. I will be making such
> individuals and companies aware of the CSP 1.1 draft, such that they have
> an opportunity to comment before the deadline closes on 13 August 2014.
>
> Below follows a fuller explanation of why the sentence should revert to
> the 1.0 version, and a collation of related communications so far.
>
> Kind regards
>
> Gregory Huczynski
>
>
> *Fuller explanation*
>
> If the user installs bookmarklets or extensions to act on their behalf,
> they should not be affected by a page author's content security policy.
> This would reflect the "Priority of Constituencies" (
> http://www.w3.org/TR/html-design-principles/#priority-of-constituencies)
> which places the rights and concerns of users ahead of content authors.
> The original CSP 1.0 sentence definitively constrains the scope of a
> content author's page security policy: the policy should not affect the
> operation of user-installed third-party additions.
>
> The new CSP 1.1 sentence is a far weaker guideline. It opens the
> possibility that user-installed third-party additions can be subject to a
> page author's content security policy, depending on user agent. This does
> not reflect the "Priority of Constituencies", raises the possibility that a
> content author ultimately decides what user-installed bookmarklets and
> extensions can operate on their pages, and makes it harder to raise bugs
> against user-agents that aim for W3C CSP conformance.
>
> Various services exist that offer users the ability to augment, transform
> or interact with any page on the www: functionality like page translation,
> bookmarking, and reformatting. They provide functionality in the form of
> bookmarklets and browser extensions - which millions of users have chosen
> to install and use every day. These services are now starting to fail on
> various web-sites with a content security policy. The
> bookmarklets/extensions use script/style/iframe https injection to
> function, and Firefox and Chrome are now blocking this behaviour - they are
> applying a web-page’s whitelisted-origin policy. Bugs have been raised
> against these browsers [1][2], and the definitive language in CSP 1.0
> provided a strong case for this behaviour to be fixed. The new CSP 1.1
> wording does not require this behaviour to be treated as a user-agent bug,
> according to the standard. It therefore brings into question the long-term
> viability of such cross-website services that depend on this technical
> bookmarklet/extension approach. It also raises uncertainty over innovation
> in cross-website services.
>
> For the sake of the millions of users who trust and gain value from
> cross-website bookmarklets and extensions, we should put their existence on
> a definitive footing and return to the original CSP 1.0. sentence.
>

It has already been pointed out on numerous occasions that the former
language did not place a mandatory requirement on UA behavior, and, as
such, meant that conformance was non-testable. Restoring that language will
not change that situation, and would not alter the treatment of
add-ons/extensions. The now adopted language makes clear that it is up to
UA manufacturers to determine how to implement this treatment.

Over time, it may be that UAs will converge on a specific set of semantics,
at which time it may warrant defining mandatory semantics. However, until
then, it serves no purpose to restore the prior language. Furthermore,
since you have not introduced new information to this topic (but have only
compiled past discussions), WG decisions by policy are not reopened (or at
least that is the SOP practiced by WGs in my 20 years of experience with
the W3C).


>
>
> For reference:
> [1] Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=866522
> [2] Chrome bug: https://code.google.com/p/chromium/issues/detail?id=233903
>
>
> *Collation of related communications*
>
> 2013-09-25.
> Bug opened: 'Subverting CSP policies for browser add-ons'
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357
>
> 2014-01-27
> 'CSP formal objection' email thread:
> http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0165.html
>
> 2014-01-29
> Entire bookmarklet sentence is removed from CSP 1.1 draft
>
> https://github.com/w3c/webappsec/commit/cbfaa8edfadebf21a9c7428242c12e45934d8c55
> Github commit references public-webappsec email:
> http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0165.html
>
> 2014-02-22
> 'Removal of the note about extensions' email thread
> http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0098.html
> Final email:
> http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0005.html
>
> 2014-02-26
> WebAppSec WG Teleconference 26-Feb-2014 minutes:
> http://www.w3.org/2014/02/26-webappsec-minutes.html
>
> 2014-02-27
> Bookmarklet sentence added back, as a weak guideline.
>
> https://github.com/w3c/webappsec/commit/73963d509b20513a6f42b1e0839715aca8b578b0
>
Received on Tuesday, 15 July 2014 13:54:21 UTC