- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 17 Oct 2012 14:42:42 -0700
- To: Fred Andrews <fredandw@live.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Anyway, I think your question has been answered. The spec requires it. Servers cannot rely upon it. Adam On Wed, Oct 17, 2012 at 2:25 PM, Fred Andrews <fredandw@live.com> wrote: > Hi Adam, > > Sure, popular browsers can implement what they want, however it does > not necessarily mean that it deserves to be standardized under the w3c. > > cheers > Fred > > >> From: w3c@adambarth.com >> Date: Wed, 17 Oct 2012 09:17:35 -0700 >> To: fredandw@live.com >> CC: dveditz@mozilla.com; public-webappsec@w3.org > >> Subject: Re: CSP 1.0: Are UAs permitted to implement reporting as opt-in? >> >> What servers can depend on relates to what's implemented by popular >> user agents, not what the spec requires. >> >> Adam >> >> >> On Wed, Oct 17, 2012 at 3:49 AM, Fred Andrews <fredandw@live.com> wrote: >> > Hi Dan, >> > >> > Just to clarify, when reporting is required the server can depend on the >> > absence >> > of a report when it trips its own policy to signal that the UA has not >> > implemented >> > the policy. If reporting is opt-in the server can not depend on the >> > absence of >> > a report to signal that the UA has not implemented a policy - it could >> > just >> > indicate >> > that the UA has decided not to send the report. >> > >> > cheers >> > Fred >> > >> >> Date: Tue, 16 Oct 2012 18:35:10 -0700 >> >> From: dveditz@mozilla.com >> >> To: fredandw@live.com >> >> CC: public-webappsec@w3.org >> >> Subject: Re: CSP 1.0: Are UAs permitted to implement reporting as >> >> opt-in? >> > >> >> >> >> On 10/16/12 3:36 PM, Fred Andrews wrote: >> >> > CSP 1.0 required a UA to submit a report when requested by the server >> >> > and thus that a server could depend on this. >> >> >> >> Servers can't rely on anything. The client might not support CSP at >> >> all. >> >> The client might partially support a non-standard predecessor of the >> >> approved CSP spec (e.g. Firefox 4). The user might have turned off CSP >> >> support. >> >> >> >> CSP cannot be relied on to turn an insecure site into a secure site; >> >> the >> >> site author still must strive to make their site secure. CSP provides a >> >> syntax by which a server can specify constraints it expects its content >> >> to follow so that a UA can provide some backup defense in depth in the >> >> face of bugs or attacks. But servers absolutely cannot rely on the >> >> client doing this. >> >> >> >> In the most trivial of examples: even if the client fully enforces the >> >> spec with no user modifications, if the content is not served over SSL >> >> the CSP policy itself might be stripped from the content before it >> >> reaches the client. The server should not rely on reports. >> >> >> >> -Dan Veditz >> >> >>
Received on Wednesday, 17 October 2012 21:43:42 UTC