- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Sat, 14 Jan 2012 10:34:23 -0800
- To: Hendrik Brummermann <nhb_web@nexgo.de>
- CC: public-webappsec@w3.org
On 12/28/11 6:29 PM, Hendrik Brummermann wrote: > While there are some reports on ISP manipulating HTML code (e. g. > http://www.zdnet.de/magazin/41515603 in German), there seems to be no > documented way for a website to prevent or even detect this manipulation. The ISP is performing a MITM attack; all CSP is doing is alerting you to that fact. CSP wasn't designed to detect MITM so it's more likely to detect dumb ones like this than an actual malicious targeted attack which would presumably suppress the CSP header, or use "allowed" hosts and intercept those requests as well. > TL;DR: Some providers manipulate the HTML code causing their customers > to end up with CSP violations and there seems to be no documented way > for a website to prevent this other than using CSP on https pages only. The only tool designed to prevent MITM is TLS. Short of that there's not a lot you can do in this situation. CSP has detected the damage, do you want to live with it or fight it? * Is modifying content--note, this is far more than "network management" that might be allowed--illegal in your user's jurisdiction? I bet a good lawyer could make a case this is a copyright violation (they have created a derivative work without permission). Is there a German EFF that could help? * Even if this modification is legal it may not withstand customer demand if users knew the ISP was doing this. Can you let them know in some way? They could maybe switch ISPs if they have a choice (not always possible), flood the ISP's customer support, raise a ruckus with their legislators, switch to a VPN service if they need immediate protection. * You could talk to the ISP and explain the damage they are doing. Inlining cachable JS is stupid, surely their own technical experts can help them see that part. If their image redirection is for performance reasons there may be different tools they could use, or they could use real host names so you could add them to the policy (if you were convinced they were benign). * You could give up on CSP, or maybe conditionally based on client IP. Sorry this is probably not a lot of help. -Dan Veditz
Received on Saturday, 14 January 2012 18:35:48 UTC