RE: [webappsec] POLL: Getting CSP 1.1 to LCWD from Carson, Cory on 2013-10-01 (public-webappsec@w3.org from October 2013)

From: Carson, Cory <Cory.Carson@boeing.com>
Date: Tue, 1 Oct 2013 19:01:01 +0000
To: Glenn Adams <glenn@skynav.com>, Brad Hill <hillbrad@gmail.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <0796D866AA7F644F9DA429C9C7341CE101BEE4@XCH-BLV-201.nw.nos.boeing.com>
On item 6, Disagree. I argue that item 6 is out of scope for Content Security Policy based on these points:

1. Item 6 is counter to the stated goal of CSP. Content Security Policy is intended to allow the content to request that the user agent restrict what the content may do. From the charter posted at http://www.w3.org/2011/08/appsecwg-charter.html :
    “The goal of this specification is to reduce attack surface by specifying overall rules for what content may or may not do, thus preventing violation of security assumptions by attackers who are able to partially manipulate that content.”
Item 6 would change Content Security Policy to allow the content to restrict what the user agent may do to the content, which is a very different thing.

2. Item 6 violates the Priorities of Constituencies, from the discussion linked at https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357. The linked bug comments provide discussion about why item 6 violates PoC, and why PoC is important.

3. Similar to item 6, the topic of "user agents attacking the content" arose earlier this year on the webappsec mailing list, and was not added to CSP. See the thread starting at http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0028.html. It was not successfully argued that CSP should handle this. The thread ended at http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0043.html, a suggestion to rely on the security of a vendor-specific hardware product that is out of the reach of the user agent.

4. Item 6 is a quantity of work that is worthy of it's own document. The only other analog of content restricting the user agent itself is Encrypted Media Extensions, posted at http://www.w3.org/TR/encrypted-media/. Looking at the mailing list archives at http://lists.w3.org/Archives/Public/public-html-admin/, the topic's discussion is time intensive. Attaching this topic to the existing CSP document may significantly delay CSP 1.1 from moving forward due to discussion alone.

However, disagreeing on item 6 alone should not end the discussion of the topic. Reading this working group’s charter, I hypothesize that item 6 is within the mission but not the scope. I propose that the working group discuss the topic as the question(s): Is this topic indeed within the charter’s mission? If so, should the charter’s scope be expanded to include a new deliverable (document) for this topic?


Cory Carson
Application Security Team
Boeing

-----

From: Glenn Adams [mailto:glenn@skynav.com] 
Sent: Monday, September 30, 2013 10:31 PM
To: Brad Hill
Cc: public-webappsec@w3.org
Subject: Re: [webappsec] POLL: Getting CSP 1.1 to LCWD


On Mon, Sep 30, 2013 at 5:23 PM, Brad Hill <hillbrad@gmail.com> wrote:
As discussed on our last conference call and in a previous email, we are behind schedule on our deliverables and I would like to propose that we close the feature set for CSP 1.1.

This is a formal poll to establish consensus.  Workgroup members, please take a few minutes to respond to these 6 questions to the list.

1: We should close the feature set of CSP 1.1?  Agree / Disagree

2. We should include the application of 'unsafe-eval' semantics to the CSSOM in the core CSP 1.1 feature set? Agree / Disagree

3. We should include the suborigin sandboxing proposal in the core CSP 1.1 feature set? Agree / Disagree

4. We should include the "Session Origin Security" policy in the core CSP 1.1 feature set?  Agree / Disagree

5. We should include the "cookie-scope" policy in the core CSP 1.1 feature set?  Agree / Disagree

Finally, we have a Formal Objection that has been registered by the Cox Communication representative Glenn Adams to reverse the currently specified behavior of allowing user-defined scripts (including from extensions).  Glenn has declined to raise his suggestions on this list after several invitations to do so, but he gave a high-level set of proposals attached to this bug:

https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357


6. We should make changes to core CSP 1.1 behavior (including possibly specifying a new directive about user script) as requested by Bug 23357?  Agree / Disagree

It is premature to ask for a poll on a bug report that has not been discussed by the WG. I would suggest that a discussion occur at the next scheduled teleconference. I would be happy to discuss our concerns that led to filing this bug report at that time.
 

Please reply to this list so your views can be "on the record".  This poll closes at the start of our next regularly scheduled teleconference on October 8th at 2pm  United States Pacific Time.

Thank you,

Brad Hill
co-chair, WebAppSec WG
Received on Tuesday, 1 October 2013 19:01:32 UTC