- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 01 Oct 2013 13:01:12 -0700
- To: Glenn Adams <glenn@skynav.com>, Brad Hill <hillbrad@gmail.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <524B2A08.8070105@mozilla.com>
On 9/30/2013 5:39 PM, Glenn Adams wrote: > On Mon, Sep 30, 2013 at 5:23 PM, Brad Hill <hillbrad@gmail.com > <mailto:hillbrad@gmail.com>> wrote: > > Glenn has declined to raise his > suggestions on this list after several invitations to do so, but he > gave a high-level set of proposals attached to this bug: > > https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357 > > I have laid out the problem in detail and proposed a number of possible > solutions in the text of that bug. Doing it again here would just be > repeating myself. Bugzilla is a terrible discussion forum, it is a bug tracking app. The bug can track what we decide to do about your objections but is not suited to back-and-forth about a topic, and especially doesn't handle branching conversations. It's designed for a straight-line problem => (diagnosis => fix => test)* cycle. The call is also not a great place for a lengthy discussion because we often have a lot to cover and not everyone can make it, the earth being round and all. What we usually do is reference list discussions and have brief consensus-taking on whether the list discussion had reached a conclusion. If the objections are not discussed here on the list then you might as well not have even made them. At the moment Firefox actually does what you want, because the spec'd behavior will take work not because we agree with your objections. The problems the Firefox behavior raises: * sites using reporting get overwhelmed with error reports that are not attacks due to attempted add-on injections. Twitter reported this was an unexpectedly large issue for them at one point. * sites using reporting can fingerprint users based on their unique combination of add-ons * user-desired mash-up functionality breaks. Sometimes the site in question really doesn't want their content modified but many times it's just collateral damage * due to the above users disable CSP globally making them less safe everywhere * due to the above some _add-ons_ disable CSP globally, making users less safe everywhere without them even knowing. This violates the policies for reviewed add-ons hosted on addons.mozilla.org but users can get add-ons elsewhere. Your bug seems worried about addons being exploited but we really haven't seen any evidence of that (vulnerabilities, yes; exploits, no). I'm sure it's a viable vector for a targeted attack but the bad guys are mostly going after plugins (hit all the browsers) or the browsers themselves (only part of the market but still a large number of victims). Addons that have a small fraction of a fraction of the market are just not a target. We have seen entirely malicious add-ons and they are a worry, but those are usually installed through other malware vectors and simply use the add-on hooks for convenience. If those didn't exist there are plenty of other ways to compromise executables. -Dan Veditz
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Tuesday, 1 October 2013 20:01:46 UTC