- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 01 Oct 2013 17:38:43 -0700
- To: public-webappsec@w3.org
On 10/1/2013 4:22 PM, Glenn Adams wrote: > (2) the actual user of the UA may not know that some add-on is malicious > or has been compromised; This is an unfortunate and too common situation and leads to lots of problems that don't involve injecting content into web pages. It doesn't really matter what we say in the CSP spec in this case, malware is going to do what it's going to do. > The current CSP specification language brushes over these distinctions, > and recommends a behavior that poses the most risk. For example, the > currently language says CSP policy *should not* interfere with > third-party add-ons. "should not" is a strong recommendation, not a requirement. Firefox currently interferes and yet I believe it is still in compliance with this section of the spec. > CSP is about supporting the ability of a content author to specify a > white list for processing script content (and other features). At the > same time, CSP is saying that a UA should ignore this white list when it > comes to third-party add-ons. If the function of authored content is > subverted by add-on script injection, then I fail to understand the > value of CSP at all. The primary intent of CSP is to prevent Cross-Site Scripting attacks, where an attacker on one web site can exploit flaws in a victim web site to inject content. This is extremely valuable whatever we decide to do about user scripts. > If CSP is to have reasonable value, then it must respect the white list > provided by the content author, and if that is deemed to potentially > conflict with user intentions w.r.t. an add-on, then the user should be > consulted to resolve the ambiguity over whose interests are allowed to > apply. W3C content specs try not to specify particular user-interface interaction models but leave that design up to the user-agent. We could add an implementation note recommending some kind of interaction but it would be a non-normative part of the spec. Browsers have been trying to avoid these kinds of user interactions, though, so it'd be hard to get such a plan by my UX designers. -Dan Veditz
Received on Wednesday, 2 October 2013 00:39:04 UTC