RE: CSP, Remote-Only Mode, and Browser Extensions

Tom,

  Thanks for the input.  This is a useful way to employ CSP and I believe that the spec today already supports it through the use of multiple policies.  You can always inject, via proxy or an extension, a new policy with a new report-uri that goes to the user's choice of report collection mechanism.  

 Tanvi Vyas's UserCSP extension for Firefox would be a good place to start experimenting.  

  https://blog.mozilla.org/tanvi/2012/09/18/user-specified-content-security-policy/

  Happy to accept test cases or explore additional language if you find this pattern doesn't meet your needs, but I think it's preferable for everybody to find a way to do it in the context of the standard mechanism if we can, rather than through additional hand-wavey language about plugins.  The community is much more likely to get something that works reliably in the end.

-Brad Hill

  

> -----Original Message-----
> From: Tom Ritter [mailto:tom@ritter.vg]
> Sent: Wednesday, April 17, 2013 6:49 AM
> To: public-webappsec@w3.org
> Subject: CSP, Remote-Only Mode, and Browser Extensions
> 
> I hear more and more talk about CSP being used primarily in Report-Only
> mode.  I think that's fair, as website operators are nervous about degrading
> the experience of their users accidently.  But it also takes away some of the
> proactive protection users enjoy as part of it.
> 
> I'm less famailiar with the W3C mechanisms, but perhaps a paragraph could
> be added to the "Implementation Considerations" section, or a "User Agent
> may" paragraph in the "Processing Model" section?
> 
>   If a User Agent provides extensibility points
>   to be used by third party plugins, it [may?/should?]
>   provide extensibility points relating to failures
>   in both enforcement and monitor modes.
> 
> Similar to HPKP (if you saw my email there), I envision a browser extension
> (which is naturally an opt-in mechanism) that flags Report Only violations so
> users are aware of them, and can investigate.  I envision another one,
> perhaps run by the EFF, a corporation's IT security team, or one of the
> various "Internet Storm Centers" that actually sends these reports
> anonymized to a second, central database (besides report-uri) where
> volunteers or employees could review them for suspicious entries.
> 
> -tom

Received on Wednesday, 17 April 2013 16:51:45 UTC