webappsec-ISSUE-16 (CSP informs client, cannot restrict it): Editorial: CSP cannot dictate client behavior, only inform it from Web Application Security Working Group Issue Tracker on 2012-09-11 (public-webappsec@w3.org from September 2012)

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 11 Sep 2012 03:18:46 +0000
To: public-webappsec@w3.org
Message-Id: <E1TBGzu-00056P-UX@tibor.w3.org>

webappsec-ISSUE-16 (CSP informs client, cannot restrict it): Editorial: CSP cannot dictate client behavior, only inform it

http://www.w3.org/2011/webappsec/track/issues/16

Raised by: Brad Hill
On product: 

>From LC comment from Fred Andrews:

http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0013.html

* "Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application restrict from where the application can load resources."

The application runs on users personal computers and they can choose to interpret these directives as they please so the wording appears rather disingenuous.  Could I suggest:

"Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client from where the application needs to load resources."


* "To mitigate XSS, for example, a web application can restrict itself to loading scripts only from known, trusted URIs, making it difficult for an attacker who can inject content into the web application to inject malicious script."

Could I suggest:

"To mitigate XSS, for example, a web application can declare from where is needs to load scripts allowing the client to detect and block an attacker who can inject content into the web application to inject malicious script."


* "The term security policy, or simply policy, for the purposes of this specification refers to either:
    a set of security preferences for restricting the behavior of content within a given resource, or
    a fragment of text that codifies these preferences."

Could I suggest:
"The term resource restrictions policy, or simply policy, for the purposes of this specification refers to either:  a set of resource restrictions within with the content can operate, or a fragment of text that codifies these restrictions."


* "A server transmits its security policy for a particular protected resource as a collection of directives, such as default-src 'self', each of which controls a specific set of privileges for that protected resource as instantiated by the user agent. More details are provided in the directives section."

The information being sent has nothing to do with the server security. The server can not implement its security at the client.  The information is in no way capable of controlling a set of privileges on the server or the client.  This wording is very confusing.  Could I suggest:

"A server transmits the resource restrictions policy for a particular resource as a collection of directives, such as default-src 'self', each of which declares a specific set of restrictions for that resource as instantiated by the user agent.  More details are provided in the directives section."

Received on Tuesday, 11 September 2012 03:18:48 UTC