- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Tue, 16 Oct 2012 22:58:14 +0000
- To: Fred Andrews <fredandw@live.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2A08D0@DEN-EXDDA-S12.corp.ebay.com>
The current spec requires reporting for a user agent to claim a conformant implementation. A user agent, plugin or proxy could certainly provide a means for users to control this behavior. Many user agents have long provided the ability to, e.g. turn off loading of images, css or script, override page-specified fonts and colors, or disable cookies, and they could choose to do so for CSP or sub-features of CSP. It is not traditional for these specifications to speak directly to such options as: 1) Whether and how to provide these controls is at the prerogative of the user and their user agent 2) A user agent so configured is not providing a compliant implementation of those specifications - it is opting out of doing so Reporting and feedback is a core feature of and use case for CSP. I don't think there has been any interest expressed by members of the WG to make it optional for compliance purposes. I have similarly seen little or no interest by implementers in making it opt-in (vs opt-out) as CSP's reporting does not provide any qualitatively new functionality to resource authors (even with non-same origin reports) that hasn't been present since the introduction of JavaScript in 1995 - it only provides a declarative policy language to simplify their generation in a standard format. -Brad Hill From: Fred Andrews [mailto:fredandw@live.com] Sent: Tuesday, October 16, 2012 3:37 PM To: public-webappsec@w3.org Subject: CSP 1.0: Are UAs permitted to implement reporting as opt-in? It would be appreciated if the WG could clarify if a browser conforming to CSP 1.0 is permitted to implement reporting as opt-in? It was my understanding based on the decision of issue 11 and prior discussion on this list that CSP 1.0 required a UA to submit a report when requested by the server and thus that a server could depend on this. However a recent response suggests this may not be the consensus. cheers Fred
Received on Tuesday, 16 October 2012 22:58:44 UTC