W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: [webappsec] POLL: Getting CSP 1.1 to LCWD

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 01 Oct 2013 17:38:43 -0700
Message-ID: <524B6B13.7020304@mozilla.com>
To: public-webappsec@w3.org
On 10/1/2013 4:22 PM, Glenn Adams wrote:
> (2) the actual user of the UA may not know that some add-on is malicious
> or has been compromised;

This is an unfortunate and too common situation and leads to lots of 
problems that don't involve injecting content into web pages. It doesn't 
really matter what we say in the CSP spec in this case, malware is going 
to do what it's going to do.

> The current CSP specification language brushes over these distinctions,
> and recommends a behavior that poses the most risk. For example, the
> currently language says CSP policy *should not* interfere with
> third-party add-ons.

"should not" is a strong recommendation, not a requirement. Firefox 
currently interferes and yet I believe it is still in compliance with 
this section of the spec.

> CSP is about supporting the ability of a content author to specify a
> white list for processing script content (and other features). At the
> same time, CSP is saying that a UA should ignore this white list when it
> comes to third-party add-ons. If the function of authored content is
> subverted by add-on script injection, then I fail to understand the
> value of CSP at all.

The primary intent of CSP is to prevent Cross-Site Scripting attacks, 
where an attacker on one web site can exploit flaws in a victim web site 
to inject content. This is extremely valuable whatever we decide to do 
about user scripts.

> If CSP is to have reasonable value, then it must respect the white list
> provided by the content author, and if that is deemed to potentially
> conflict with user intentions w.r.t. an add-on, then the user should be
> consulted to resolve the ambiguity over whose interests are allowed to
> apply.

W3C content specs try not to specify particular user-interface 
interaction models but leave that design up to the user-agent. We could 
add an implementation note recommending some kind of interaction but it 
would be a non-normative part of the spec. Browsers have been trying to 
avoid these kinds of user interactions, though, so it'd be hard to get 
such a plan by my UX designers.

-Dan Veditz
Received on Wednesday, 2 October 2013 00:39:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC