RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid

Dear Brad,

Thank you again for the insights.

I appreciate that the w3c might view fingerprinting and tracking as inevitable, but their options appear to be rather constrained by interest groups.  Users do not have such constraints and UA development driven by user needs may well be able to address this issue.

Note that the firefox 'noscript' extension webpage currently reports 2,180,733 users, and the Ghostery extension 675,177 users.  There is some interest in such tools - even if they have knobs on them.

CSP could have also helped improve safety for users interested in privacy and could have complemented their needs, so it is a bit disappointing that their needs can not be considered.

It should be possible for content servers to choose to support both the published CSP and users interested in privacy by not requiring reports be returned, not depending on being able to trip their own restrictions, and not depending on DOM access.

Policy based solutions to tracking, such as DNT, just increase the fingerprint surface - its good for a laugh though.

There are many sources of leaks, but there are technical solutions to address large classes of these leaks.  I see it as quite practical for children and new web users to start with such UAs as they would be inherently safer and less of a cognitive burden.

It is true that a privacy sensitive UA would be identifiable from current standard UAs - it can probably not all be spoofed well.  These UAs would need a significant share of usage for protection.   By design and necessity they would all want to appear the same which would help improve their share.  Privacy is not an all-or-nothing matter, and improved privacy and safety may well be enough for many users.

cheers
Fred

From: bhill@paypal-inc.com
To: fredandw@live.com; eoftedal@gmail.com; w3c@adambarth.com
CC: public-webappsec@w3.org
Date: Fri, 14 Sep 2012 22:16:10 +0000
Subject: RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid