- From: Brad Hill <hillbrad@gmail.com>
- Date: Sun, 3 Aug 2014 16:28:08 -0700
- To: Philip Constantinou <constantinou@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, Adam Barth <w3c@adambarth.com>, Daniel Veditz <dveditz@mozilla.com>
Philip, As the other WG co-chair, I do feel obligated somewhat to echo what's been said: There is no disagreement in this group or among current implementers of CSP on the importance of the priority of constituencies that makes the intent of the user paramount in how they experience the web. The CSP Level 2 spec uses non-normative language to indicate this, in order to give user agents the most leeway in accommodating user intent. It is also the case that previous normative language (SHOULD NOT) would be unlikely to survive to Recommendation at this point, given the lack of implementations that implement it consistently and successfully. But I do think there are also two issues here that we can and perhaps should decompose: extensions/plugins versus bookmarklets Extensions and plugins are by their nature proprietary at this time. I think it is likely that user agents will find a way to allow them to work with Content Security Policy, but it is unlikely that a) they will do so by simply allowing direct modification of the DOM with injected script or b) that whatever mechanisms are employed will be consistent across browsers, as the architectures of extension/plugin technologies are user-agent specific. The differences between the internal architectures of Firefox and Chrome plugins, for example, are profound, and neither is within the scope of the W3C. Bookmarklets are a slightly different case because a big part of their value proposition is that they are "just javascript" and work in a relatively uniform manner across all browsers. I think what we need here are proposals either for how to implement this in browsers (submitted either to this group or directly to implementers, depending on the specificity) or some specification language that works better to allow users freedom and flexibility while still protecting them from maliciously injected script. e.g. can a browser distinguish between a javascript: navigation that happened from a bookmark vs. one that was an href or src attribute? Another difficulty here is that bookmarks, while almost universally supported in some form, aren't formally specified or implemented in an interoperable and standard fashion. Maybe we need a new Fetch context (http://fetch.spec.whatwg.org/#requests) for activating a bookmark that is more specific than "internal"? I'm happy to continue the discussion, but as it seems there are other platform concepts either in HTML5 or Fetch that need more formal definition in order for us to attempt normative language in CSP, I think any such changes ought to be targeted to the next revision of the CSP specification. -Brad Hill On Thu, Jul 31, 2014 at 6:30 PM, Philip Constantinou <constantinou@gmail.com> wrote: > Dear W3C CSP working group - > > Evernote voices our strong opposition to the wording changes regarding > extensions and bookmarklets in CSP1.1 and our strong support of > > http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0061.html. > > Evernote provides a free web service to over 100 million users world wide. > We also provide browser extensions for Google Chrome, Safari, Internet > Explorer and Opera in addition to bookmarklets which are used on other user > agents. Additionally, we have ongoing development efforts on several mobile > browsers. > > For example, the Evernote Web Clipper for Chrome is a top rated free > extension installed by over 3.4 million users. > > We've built these extensions for the express purpose of allowing users to > capture and mark up content they find on the web. To create a great user > experience, our extensions insert JavaScript into the viewers page upon user > request. This mechanism risks being broken by the vague > extension/bookmarklet wording change proposed in CSP 1.1. > > We strongly believe that users should be allowed to control their own > experience on the web through a choice of browser and the use of browsers > extensions. Changing the CSP specification in a way that limits browser > extensions operates counter to the needs of users and limits companies like > ours from making the web better for everyone. > > Thank you for your consideration - > > > Philip Constantinou > > VP of Products > > Evernote > > remember everything > > > ps. Sending this from my personal email address because the w3.org emailing > list says evernote.com is blacklisted.
Received on Sunday, 3 August 2014 23:28:36 UTC