W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: [webappsec] POLL: Getting CSP 1.1 to LCWD

From: Glenn Adams <glenn@skynav.com>
Date: Wed, 2 Oct 2013 07:26:39 -0600
Message-ID: <CACQ=j+eUF+gYB_FHE7yvugpsJ9qTJZXtT_G7HOGsrFvvfQKADQ@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Oct 1, 2013 at 6:01 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> On 10/1/2013 3:03 PM, Glenn Adams wrote:
>
>> In creating a television user interface using the Open Web Platform,
>>  these companies are often not exempted from requirements they
>> encounter when using other mediums for transmission. In the U.S. at
>> least, Emergency Alert Services are part of such requirements.
>>
>
> If the alerts are part of the video stream they'd be pretty immune from
> tampering.


They aren't. They are expected to be delivered using SSE or WSP and fielded
by the service providers JS client code that provides the TV UI using
standard Web Platform technologies.


>
>
>  I'd worry far more about malicious addons than compromised ones. The
>>> former is a reality, but CSP isn't going to help that problem.
>>>
>>
>> Well, if CSP enabled authors to declare that addons should not inject
>> script and the end user doesn't override that declaration, then we
>> believe CSP could help.
>>
>
> What stops the malicious addon from simply suppressing such a prompt and
> injecting itself anyway? Once the user is infected with malware it's no
> longer their computer and the browser cannot make any guarantees.
>

I guess it will depend on the addon technology for the specific UA. If it
is a UA that only executes script injected by addons and the APIs available
to it limit its functionality, then there may be some constraints on what
it can do.

In any case, I thought CSP was about providing one step in the defense in
depth ladder. No step protects everything.


>
> -Dan Veditz
>
>
Received on Wednesday, 2 October 2013 13:27:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC