W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: [webappsec] POLL: Getting CSP 1.1 to LCWD

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 01 Oct 2013 13:01:12 -0700
Message-ID: <524B2A08.8070105@mozilla.com>
To: Glenn Adams <glenn@skynav.com>, Brad Hill <hillbrad@gmail.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 9/30/2013 5:39 PM, Glenn Adams wrote:
> On Mon, Sep 30, 2013 at 5:23 PM, Brad Hill <hillbrad@gmail.com
> <mailto:hillbrad@gmail.com>> wrote:
>     Glenn has declined to raise his
>     suggestions on this list after several invitations to do so, but he
>     gave a high-level set of proposals attached to this bug:
>     https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357
> I have laid out the problem in detail and proposed a number of possible
> solutions in the text of that bug. Doing it again here would just be
> repeating myself.

Bugzilla is a terrible discussion forum, it is a bug tracking app. The
bug can track what we decide to do about your objections but is not
suited to back-and-forth about a topic, and especially doesn't handle
branching conversations. It's designed for a straight-line problem =>
(diagnosis => fix => test)* cycle.

The call is also not a great place for a lengthy discussion because we
often have a lot to cover and not everyone can make it, the earth being
round and all. What we usually do is reference list discussions and have
brief consensus-taking on whether the list discussion had reached a

If the objections are not discussed here on the list then you might as
well not have even made them.

At the moment Firefox actually does what you want, because the spec'd
behavior will take work not because we agree with your objections. The
problems the Firefox behavior raises:

* sites using reporting get overwhelmed with error reports that are not
attacks due to attempted add-on injections. Twitter reported this was an
unexpectedly large issue for them at one point.

* sites using reporting can fingerprint users based on their unique
combination of add-ons

* user-desired mash-up functionality breaks. Sometimes the site in
question really doesn't want their content modified but many times it's
just collateral damage

* due to the above users disable CSP globally making them less safe

* due to the above some _add-ons_ disable CSP globally, making users
less safe everywhere without them even knowing. This violates the
policies for reviewed add-ons hosted on addons.mozilla.org but users can
get add-ons elsewhere.

Your bug seems worried about addons being exploited but we really
haven't seen any evidence of that (vulnerabilities, yes; exploits, no).
I'm sure it's a viable vector for a targeted attack but the bad guys are
mostly going after plugins (hit all the browsers) or the browsers
themselves (only part of the market but still a large number of
victims). Addons that have a small fraction of a fraction of the market
are just not a target.

We have seen entirely malicious add-ons and they are a worry, but those
are usually installed through other malware vectors and simply use the
add-on hooks for convenience. If those didn't exist there are plenty of
other ways to compromise executables.

-Dan Veditz

Received on Tuesday, 1 October 2013 20:01:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC