Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in? from Adam Barth on 2012-10-17 (public-webappsec@w3.org from October 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 17 Oct 2012 14:42:42 -0700
To: Fred Andrews <fredandw@live.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAJE5ia_NE89hPYA0jrYicn-N8jhbcyK6MztcepT7oeC5NOLi0w@mail.gmail.com>

Anyway, I think your question has been answered.  The spec requires
it.  Servers cannot rely upon it.

Adam


On Wed, Oct 17, 2012 at 2:25 PM, Fred Andrews <fredandw@live.com> wrote:
> Hi Adam,
>
> Sure, popular browsers can implement what they want, however it does
> not necessarily mean that it deserves to be standardized under the w3c.
>
> cheers
> Fred
>
>
>> From: w3c@adambarth.com
>> Date: Wed, 17 Oct 2012 09:17:35 -0700
>> To: fredandw@live.com
>> CC: dveditz@mozilla.com; public-webappsec@w3.org
>
>> Subject: Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in?
>>
>> What servers can depend on relates to what's implemented by popular
>> user agents, not what the spec requires.
>>
>> Adam
>>
>>
>> On Wed, Oct 17, 2012 at 3:49 AM, Fred Andrews <fredandw@live.com> wrote:
>> > Hi Dan,
>> >
>> > Just to clarify, when reporting is required the server can depend on the
>> > absence
>> > of a report when it trips its own policy to signal that the UA has not
>> > implemented
>> > the policy. If reporting is opt-in the server can not depend on the
>> > absence of
>> > a report to signal that the UA has not implemented a policy - it could
>> > just
>> > indicate
>> > that the UA has decided not to send the report.
>> >
>> > cheers
>> > Fred
>> >
>> >> Date: Tue, 16 Oct 2012 18:35:10 -0700
>> >> From: dveditz@mozilla.com
>> >> To: fredandw@live.com
>> >> CC: public-webappsec@w3.org
>> >> Subject: Re: CSP 1.0: Are UAs permitted to implement reporting as
>> >> opt-in?
>> >
>> >>
>> >> On 10/16/12 3:36 PM, Fred Andrews wrote:
>> >> > CSP 1.0 required a UA to submit a report when requested by the server
>> >> > and thus that a server could depend on this.
>> >>
>> >> Servers can't rely on anything. The client might not support CSP at
>> >> all.
>> >> The client might partially support a non-standard predecessor of the
>> >> approved CSP spec (e.g. Firefox 4). The user might have turned off CSP
>> >> support.
>> >>
>> >> CSP cannot be relied on to turn an insecure site into a secure site;
>> >> the
>> >> site author still must strive to make their site secure. CSP provides a
>> >> syntax by which a server can specify constraints it expects its content
>> >> to follow so that a UA can provide some backup defense in depth in the
>> >> face of bugs or attacks. But servers absolutely cannot rely on the
>> >> client doing this.
>> >>
>> >> In the most trivial of examples: even if the client fully enforces the
>> >> spec with no user modifications, if the content is not served over SSL
>> >> the CSP policy itself might be stripped from the content before it
>> >> reaches the client. The server should not rely on reports.
>> >>
>> >> -Dan Veditz
>> >>
>>

Received on Wednesday, 17 October 2012 21:43:42 UTC