- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Wed, 17 Apr 2013 16:51:16 +0000
- To: Tom Ritter <tom@ritter.vg>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Tom, Thanks for the input. This is a useful way to employ CSP and I believe that the spec today already supports it through the use of multiple policies. You can always inject, via proxy or an extension, a new policy with a new report-uri that goes to the user's choice of report collection mechanism. Tanvi Vyas's UserCSP extension for Firefox would be a good place to start experimenting. https://blog.mozilla.org/tanvi/2012/09/18/user-specified-content-security-policy/ Happy to accept test cases or explore additional language if you find this pattern doesn't meet your needs, but I think it's preferable for everybody to find a way to do it in the context of the standard mechanism if we can, rather than through additional hand-wavey language about plugins. The community is much more likely to get something that works reliably in the end. -Brad Hill > -----Original Message----- > From: Tom Ritter [mailto:tom@ritter.vg] > Sent: Wednesday, April 17, 2013 6:49 AM > To: public-webappsec@w3.org > Subject: CSP, Remote-Only Mode, and Browser Extensions > > I hear more and more talk about CSP being used primarily in Report-Only > mode. I think that's fair, as website operators are nervous about degrading > the experience of their users accidently. But it also takes away some of the > proactive protection users enjoy as part of it. > > I'm less famailiar with the W3C mechanisms, but perhaps a paragraph could > be added to the "Implementation Considerations" section, or a "User Agent > may" paragraph in the "Processing Model" section? > > If a User Agent provides extensibility points > to be used by third party plugins, it [may?/should?] > provide extensibility points relating to failures > in both enforcement and monitor modes. > > Similar to HPKP (if you saw my email there), I envision a browser extension > (which is naturally an opt-in mechanism) that flags Report Only violations so > users are aware of them, and can investigate. I envision another one, > perhaps run by the EFF, a corporation's IT security team, or one of the > various "Internet Storm Centers" that actually sends these reports > anonymized to a second, central database (besides report-uri) where > volunteers or employees could review them for suspicious entries. > > -tom
Received on Wednesday, 17 April 2013 16:51:45 UTC