RE: CSP and web analytics

While the earliest adopters (e.g. PayPal) are going to want very fine grained control, larger adoption would probably be helped by a standardized set of  "profiles" that scripts and protected resources can declare conformance to for interoperability.   

Letting sites do something like declare to an ad network that they will only accept ads that conform to "Sandboxed Inline Ad 1.0" will help establish a critical mass of demand, and also one that can be reasonably responded to.


-----Original Message-----
From: [] On Behalf Of Adam Barth
Sent: Wednesday, June 08, 2011 10:25 AM
To: John Wilander
Subject: Re: CSP and web analytics

Yeah, one of the challenges for CSP is that it imposes constraints on how you integrate with third-parties.  Web analytics is probably one of the easier examples of this issue.  Advertising is probably more challenging.  My sense is that CSP succeeding on this dimension is going to take a while.  Enough developers need to be interested in using the feature that providers of these third-party services have an incentive to play nicely with CSP.


On Wed, Jun 8, 2011 at 4:19 AM, John Wilander <> wrote:
> Hi PubWebSec!
> To get ready for Content Security Policy in production organizations 
> have to get JavaScript guidelines in place stating no inline 
> JavaScript, only JavaScript in files. That's fine for in-house 
> developers but I'm starting to get worried about web analytics tools 
> such as Omniture SiteCatalyst and Google Analytics. These are very 
> popular out there and the decision to use them are typically made by 
> managers closer to money than the security department typically is.
> I've been using both SiteCatalyst and Analytics before, both using 
> inline JavaScript. Looking at their online documentation and tutorials 
> I only see inline solutions.
> Example from SiteCatalyst tutorial
> (
> [bla, bla] return to the Page Code tab and copy all of the code in the tab.
> In the HTML files, locate the comment that says Begin Paste the 
> SiteCatalyst JavaScript Page code here and then paste the Page Code below the comment.
> Example from Analytics tutorial
> (
> In the Profile Settings page, click the "Check Status" link. You'll 
> see something similar to the code snippet below. (...) Once you find 
> the code snippet, copy and paste it into your web page, just before 
> the closing </head> tag.
> All of this will be a show stopper for CSP. I think we have to start 
> working with the web analytics vendors to 1) find working file-only 
> solutions, and
> 2) write good tutorials on how to get file-only web analytics 
> working.. We might be successful since developers in general consider 
> this "paste the JavaScript into your page" practice quite ugly.
> Thoughts?
>    Regards, John
> --
> John Wilander, Chapter co-leader 
> OWASP Sweden, Conf Comm, 
> My music

Received on Wednesday, 8 June 2011 17:41:32 UTC