[whatwg] Clickjacking and CSRF from Bil Corry on 2009-07-22 (public-whatwg-archive@w3.org from July 2009)

From: Bil Corry <bil@corry.biz>
Date: Wed, 22 Jul 2009 12:56:26 -0500
Message-ID: <4A6752CA.5070506@corry.biz>

Aryeh Gregor wrote on 7/22/2009 12:38 PM: 
> On Wed, Jul 22, 2009 at 1:20 PM, Bil Corry<bil at corry.biz> wrote:
>> If it's desirable to add a 'report only' feature to CSP, I'd prefer see a second CSP-related header (X-Content-Security-Policy-ReportOnly???) that implements it rather than adding it to the CSP header.  The presence of both headers (CSP and CSPReportOnly) would mean both would be acted upon.
> 
> I can't see how that makes a difference either way for any purpose,
> really.  It just seems like it would make it slightly more annoying
> for authors to deploy, and somewhat more confusing (since the presence
> of one header would drastically change the semantics of another).

The idea here is 'when in doubt, favor the more restrictive option.'  There shouldn't be both headers, but if there are, then CSP wins.


>> There's already been some discussion that authors would iteratively relax CSP until their site worked.  I can see where an author enables ReportOnly, their site suddenly works and they mistakenly believe it's properly configured and actively protecting their site.
> 
> They might also make a typo in the policy file that causes Firefox to
> ignore the whole thing, and mistakenly believe they're being
> protected.

This won't happen as CSP explicitly enforces a 'fail closed' policy:

	https://wiki.mozilla.org/Security/CSP/Spec#Handling_Parse_Errors


> Or they might enable CSP, then allow inline script and
> import from arbitrary foreign sites because that's what it took for
> their ads and Analytics to start working again, and think they're
> protected.

Allowing content from their advertising and analytics providers is far less serious than mistakenly turning on ReportOnly which allows content from any source.

 
> You can't really do much to stop people from having a sense of false
> security if they neither understand nor test their security system.  I
> don't think it's valuable to try.

It's valuable to set them up for as much success as possible.


- Bil

Received on Wednesday, 22 July 2009 10:56:26 UTC