Re: CSP Spec question from Adam Gray on 2014-05-28 (public-webappsec@w3.org from May 2014)

From: Adam Gray <adam@trackif.com>
Date: Wed, 28 May 2014 09:29:18 -0500
To: Mike West <mkwst@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Mike West <mike@mikewest.org>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <475D442A-818F-46CE-AC68-59089BB0F452@trackif.com>

Thank you for your feedback thus far. I guess my question is fairly complex, at least from my newcomer mindset. If all sites enabled strict CSP rules blocking any non-sanctioned script injections... Would that basically render plugins, bookmarklets, and the like moot? 

Maybe I just don't understand the spec enough. 

Sent from my iPhone

> On May 28, 2014, at 7:19 AM, Mike West <mkwst@google.com> wrote:
> 
>> On Wed, May 28, 2014 at 1:08 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> I'm not sure I agree with that. If that were true, Chrome would not be
>> trying to move away from NPAPI, Safari would support Flash and other
>> plugins on iOS, etc. We certainly have defined some things around
>> plugins, but they are mostly a black box still and everyone hopes to
>> move away from them just like Apple did.
> 
> Oh, I cannot wait for NPAPI to die. But until it does, we should define some things around the outlines of the big black hole they leave in the platform.
> 
> I don't like sync XHR either, but that doesn't mean that I don't think it should be in the spec if it's widely supported and used.
>  
>> There may be disagreement, but that's the role standards have taken to
>> date. We don't run conformance test suites of standards on browsers
>> plus their myriad of extensions. Or on custom builds of browsers some
>> set of users decided to start using (same as extensions). None of that
>> seems tenable either, so I'm not sure why there would be disagreement.
> 
> I'd agree with you that MUST-level requirements would be both difficult to test and to enforce. SHOULD-level recommendations, however, seem quite valuable.
> 
> Especially for standards like CSP which have a cross-cutting impact on the way websites function, it's important for us to help user agent implementers understand the potential impact of the spec on the extension systems they've created, and to guide them towards implementations we see as correctly balancing potentially competing claims. The "should CSP block extensions" discussion and subsequent compromise from a few weeks back is an exemplary example of us doing a bad job of that (IMO).
> 
> -mike

Received on Wednesday, 28 May 2014 14:29:51 UTC