RE: CSP 1.0: Are UAs permitted to implement reporting as opt-in? from Fred Andrews on 2012-10-17 (public-webappsec@w3.org from October 2012)

From: Fred Andrews <fredandw@live.com>
Date: Wed, 17 Oct 2012 21:25:01 +0000
To: Adam Barth <w3c@adambarth.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <BLU002-W17534ED2AEBCB76B0ED5383AA770@phx.gbl>

Hi Adam,

Sure, popular browsers can implement what they want, however it does
not necessarily mean that it deserves to be standardized under the w3c.

cheers
Fred
 

> From: w3c@adambarth.com
> Date: Wed, 17 Oct 2012 09:17:35 -0700
> To: fredandw@live.com
> CC: dveditz@mozilla.com; public-webappsec@w3.org
> Subject: Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in?
> 
> What servers can depend on relates to what's implemented by popular
> user agents, not what the spec requires.
> 
> Adam
> 
> 
> On Wed, Oct 17, 2012 at 3:49 AM, Fred Andrews <fredandw@live.com> wrote:
> > Hi Dan,
> >
> > Just to clarify, when reporting is required the server can depend on the
> > absence
> > of a report when it trips its own policy to signal that the UA has not
> > implemented
> > the policy.   If reporting is opt-in the server can not depend on the
> > absence of
> > a report to signal that the UA has not implemented a policy - it could just
> > indicate
> > that the UA has decided not to send the report.
> >
> > cheers
> > Fred
> >
> >> Date: Tue, 16 Oct 2012 18:35:10 -0700
> >> From: dveditz@mozilla.com
> >> To: fredandw@live.com
> >> CC: public-webappsec@w3.org
> >> Subject: Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in?
> >
> >>
> >> On 10/16/12 3:36 PM, Fred Andrews wrote:
> >> > CSP 1.0 required a UA to submit a report when requested by the server
> >> > and thus that a server could depend on this.
> >>
> >> Servers can't rely on anything. The client might not support CSP at all.
> >> The client might partially support a non-standard predecessor of the
> >> approved CSP spec (e.g. Firefox 4). The user might have turned off CSP
> >> support.
> >>
> >> CSP cannot be relied on to turn an insecure site into a secure site; the
> >> site author still must strive to make their site secure. CSP provides a
> >> syntax by which a server can specify constraints it expects its content
> >> to follow so that a UA can provide some backup defense in depth in the
> >> face of bugs or attacks. But servers absolutely cannot rely on the
> >> client doing this.
> >>
> >> In the most trivial of examples: even if the client fully enforces the
> >> spec with no user modifications, if the content is not served over SSL
> >> the CSP policy itself might be stripped from the content before it
> >> reaches the client. The server should not rely on reports.
> >>
> >> -Dan Veditz
> >>
>

Received on Wednesday, 17 October 2012 21:25:29 UTC