- From: Tom Ritter <tom@ritter.vg>
- Date: Wed, 17 Apr 2013 09:48:46 -0400
- To: public-webappsec@w3.org
I hear more and more talk about CSP being used primarily in Report-Only mode. I think that's fair, as website operators are nervous about degrading the experience of their users accidently. But it also takes away some of the proactive protection users enjoy as part of it. I'm less famailiar with the W3C mechanisms, but perhaps a paragraph could be added to the "Implementation Considerations" section, or a "User Agent may" paragraph in the "Processing Model" section? If a User Agent provides extensibility points to be used by third party plugins, it [may?/should?] provide extensibility points relating to failures in both enforcement and monitor modes. Similar to HPKP (if you saw my email there), I envision a browser extension (which is naturally an opt-in mechanism) that flags Report Only violations so users are aware of them, and can investigate. I envision another one, perhaps run by the EFF, a corporation's IT security team, or one of the various "Internet Storm Centers" that actually sends these reports anonymized to a second, central database (besides report-uri) where volunteers or employees could review them for suspicious entries. -tom
Received on Wednesday, 17 April 2013 13:49:34 UTC