- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 13 Sep 2012 08:46:30 -0700
- To: Fred Andrews <fredandw@live.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
It's not a security or privacy problem to make UA features detectable. In fact, that's commonly a goal of new features. In CSP 1.1, we plan to add an explicit mechanism for the server to detect which CSP features the UA supports. If you follow your line of reason, then all UA requirements in all specs would be downgraded from MUST to SHOULD. That's not how we write specs in the W3C. The important thing to realize is that UAs are not required to implement CSP at all. The requirements in the spec apply only if the UA chooses to implement CSP. If a UA does implement CSP, the UA MUST do various things, including actually enforcing the policies. Adam On Thu, Sep 13, 2012 at 6:47 AM, Fred Andrews <fredandw@live.com> wrote: > The CSP requirement that the UA MUST enforce the policies and MUST monitor > them when so declared, combined with the required reporting, may have the > unexpected consequence of allowing the server to probe the CSP capabilities > of the client. Further it would allow content to be written that depends on > CSP for correct operation and this would not appear to be the intent of CSP. > > For example a server could declare reporting of various directives and > deliberately trip these checks to have reports returned. The presence or > absence of these reports would leak capabilities of the UA back to the > server. This is a privacy and fingerprinting issue, and could even be used > to refuse service to a UA with reporting disabled. > > Could I suggest changing the following uses of MUST to SHOULD or MAY to help > avoid these issues. > > "Content-Security-Policy Header Field: ... Upon receiving an HTTP response > containing at least one Content-Security-Policy header field, the user agent > SHOULD enforce each of the policies contained in each such header field." > > "Content-Security-Policy-Report-Only Header Field: ... Upon receiving an > HTTP response containing at least one Content-Security-Policy-Report-Only > header field, the user agent SHOULD monitor each of the policies contained > in each such header field." > > Making reporting opt-in would also address this matter. > > cheers > Fred >
Received on Thursday, 13 September 2012 15:47:30 UTC