Re: CSP and web analytics from sird@rckc.at on 2011-06-08 (public-web-security@w3.org from June 2011)

From: <sird@rckc.at>
Date: Wed, 8 Jun 2011 09:41:38 -0500
To: John Wilander <john.wilander@owasp.org>
Cc: public-web-security@w3.org
Message-ID: <BANLkTik_ggGjXAGR-9A7DguoquNSVn4Ggw@mail.gmail.com>

I don't know about omniture but for Analytics you can put the inlined
JS inside a .js file.

-- Eduardo




On Wed, Jun 8, 2011 at 6:19 AM, John Wilander <john.wilander@owasp.org> wrote:
> Hi PubWebSec!
>
> To get ready for Content Security Policy in production organizations have to
> get JavaScript guidelines in place stating no inline JavaScript, only
> JavaScript in files. That's fine for in-house developers but I'm starting to
> get worried about web analytics tools such as Omniture SiteCatalyst and
> Google Analytics. These are very popular out there and the decision to use
> them are typically made by managers closer to money than the security
> department typically is.
>
> I've been using both SiteCatalyst and Analytics before, both using inline
> JavaScript. Looking at their online documentation and tutorials I only see
> inline solutions.
>
> Example from SiteCatalyst tutorial
> (https://developer.omniture.com/en_US/get-started/sitecatalyst-tagging):
> [bla, bla] return to the Page Code tab and copy all of the code in the tab.
> In the HTML files, locate the comment that says Begin Paste the SiteCatalyst
> JavaScript Page code here and then paste the Page Code below the comment.
>
> Example from Analytics tutorial
> (http://www.google.com/support/googleanalytics/bin/answer.py?answer=174090):
> In the Profile Settings page, click the "Check Status" link. You'll see
> something similar to the code snippet below. (...) Once you find the code
> snippet, copy and paste it into your web page, just before the closing
> </head> tag.
>
> All of this will be a show stopper for CSP. I think we have to start working
> with the web analytics vendors to 1) find working file-only solutions, and
> 2) write good tutorials on how to get file-only web analytics working.. We
> might be successful since developers in general consider this "paste the
> JavaScript into your page" practice quite ugly.
>
> Thoughts?
>
>    Regards, John
>
> --
> John Wilander, https://twitter.com/johnwilander
> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
> Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
> My music http://www.johnwilander.com
>
>

Received on Wednesday, 8 June 2011 14:42:26 UTC