RE: CSP 1.0: Are UAs permitted to implement reporting as opt-in?

Hi Dan,

Just to clarify, when reporting is required the server can depend on the absence
of a report when it trips its own policy to signal that the UA has not implemented
the policy.   If reporting is opt-in the server can not depend on the absence of
a report to signal that the UA has not implemented a policy - it could just indicate
that the UA has decided not to send the report.

cheers
Fred

> Date: Tue, 16 Oct 2012 18:35:10 -0700
> From: dveditz@mozilla.com
> To: fredandw@live.com
> CC: public-webappsec@w3.org
> Subject: Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in?
> 
> On 10/16/12 3:36 PM, Fred Andrews wrote:
> > CSP 1.0 required a UA to submit a report when requested by the server
> > and thus that a server could depend on this.
> 
> Servers can't rely on anything. The client might not support CSP at all.
> The client might partially support a non-standard predecessor of the
> approved CSP spec (e.g. Firefox 4). The user might have turned off CSP
> support.
> 
> CSP cannot be relied on to turn an insecure site into a secure site; the
> site author still must strive to make their site secure. CSP provides a
> syntax by which a server can specify constraints it expects its content
> to follow so that a UA can provide some backup defense in depth in the
> face of bugs or attacks. But servers absolutely cannot rely on the
> client doing this.
> 
> In the most trivial of examples: even if the client fully enforces the
> spec with no user modifications, if the content is not served over SSL
> the CSP policy itself might be stripped from the content before it
> reaches the client. The server should not rely on reports.
> 
> -Dan Veditz
> 
 		 	   		  

Received on Wednesday, 17 October 2012 10:50:17 UTC