Re: CSP and web analytics from gaz Heyes on 2011-06-08 (public-web-security@w3.org from June 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 8 Jun 2011 20:26:52 +0100
To: John Wilander <john.wilander@owasp.org>
Cc: public-web-security@w3.org
Message-ID: <BANLkTimVYzTnQWBbkWgkAUPy5Y8iwcaD=Q@mail.gmail.com>

On 8 June 2011 12:19, John Wilander <john.wilander@owasp.org> wrote:

> To get ready for Content Security Policy in production organizations have
> to get JavaScript guidelines in place stating no inline JavaScript, only
> JavaScript in files. That's fine for in-house developers but I'm starting to
> get worried about web analytics tools such as Omniture SiteCatalyst and
> Google Analytics. These are very popular out there and the decision to use
> them are typically made by managers closer to money than the security
> department typically is.
>

As I see it there are two problems a) Sites will wrongly implement a CSP
policy with inline enabled (xss protection off) to make analytics work
rather that put them in a separate file. b) The analytics on the page will
be abused to log their xss attacks without using another external server.
Both break CSP at the core IMO and unless an alternative method is developed
to handle inline script then it drastically reduces CSP effectiveness.

Received on Wednesday, 8 June 2011 19:27:19 UTC