W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

CSP, Remote-Only Mode, and Browser Extensions

From: Tom Ritter <tom@ritter.vg>
Date: Wed, 17 Apr 2013 09:48:46 -0400
Message-ID: <CA+cU71nbVz26uOq9Q-2yyJrAyJKrJ48XbTMn0Vs1tuCVVmhSQw@mail.gmail.com>
To: public-webappsec@w3.org
I hear more and more talk about CSP being used primarily in
Report-Only mode.  I think that's fair, as website operators are
nervous about degrading the experience of their users accidently.  But
it also takes away some of the proactive protection users enjoy as
part of it.

I'm less famailiar with the W3C mechanisms, but perhaps a paragraph
could be added to the "Implementation Considerations" section, or a
"User Agent may" paragraph in the "Processing Model" section?

  If a User Agent provides extensibility points
  to be used by third party plugins, it [may?/should?]
  provide extensibility points relating to failures
  in both enforcement and monitor modes.

Similar to HPKP (if you saw my email there), I envision a browser
extension (which is naturally an opt-in mechanism) that flags Report
Only violations so users are aware of them, and can investigate.  I
envision another one, perhaps run by the EFF, a corporation's IT
security team, or one of the various "Internet Storm Centers" that
actually sends these reports anonymized to a second, central database
(besides report-uri) where volunteers or employees could review them
for suspicious entries.

-tom
Received on Wednesday, 17 April 2013 13:49:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC