Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in?

On 10/16/12 3:36 PM, Fred Andrews wrote:
> CSP 1.0 required a UA to submit a report when requested by the server
> and thus that a server could depend on this.

Servers can't rely on anything. The client might not support CSP at all.
The client might partially support a non-standard predecessor of the
approved CSP spec (e.g. Firefox 4). The user might have turned off CSP
support.

CSP cannot be relied on to turn an insecure site into a secure site; the
site author still must strive to make their site secure. CSP provides a
syntax by which a server can specify constraints it expects its content
to follow so that a UA can provide some backup defense in depth in the
face of bugs or attacks. But servers absolutely cannot rely on the
client doing this.

In the most trivial of examples: even if the client fully enforces the
spec with no user modifications, if the content is not served over SSL
the CSP policy itself might be stripped from the content before it
reaches the client. The server should not rely on reports.

-Dan Veditz

Received on Wednesday, 17 October 2012 01:35:37 UTC