W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2012

CSP required reporting a bad precedent?

From: Fred Andrews <fredandw@live.com>
Date: Sun, 14 Oct 2012 11:57:35 +0000
Message-ID: <BLU002-W203AA17C3E73C094C55746BAA720@phx.gbl>
To: "public-privacy@w3.org" <public-privacy@w3.org>
The CSP spec. is nearing recommendation and I have been trying to make a case for reporting to be optional which would allow the UA to choose to make reporting opt-in or to report to the user if desired.  My suggestions to the WG have been met with ridicule and with claims that the reporting does not reveal any information not already known to the content author.

The mandated reporting of security violations detected by the UA back to the server appears to be unprecedented.  Could I ask if anyone is aware of any other w3c standards that require the UA to report security violations to the server?

Does anyone else share my concern that allowing w3c standards to require the reporting of security violations is a bad precedent?

While a UA could still decide not to report a violation, if the standard requires this then server software could be written to depend on it and a UA not reporting could be discriminated against.

I am also concerned that the reporting could be used to report on user customization of the CSP policy.  For example if a user decides a particular third party is not trustworthy and adjusts the CSP policy to block the third party then when an attempt is made to load the blocked third party resource the UA would be required to report the violation to the first party.   This is turn could be used to discriminate against the user.

I am preparing a final response to the WG regarding CSP on the issue of the required reporting and would welcome any input.


Received on Sunday, 14 October 2012 11:58:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:49:24 UTC