W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: CSP formal objection.

From: Brian Smith <brian@briansmith.org>
Date: Mon, 3 Feb 2014 13:02:39 -0800
Message-ID: <CAFewVt5ivH5v6ZBFFWXtdOnR3dVyGEGyaHo2HsV8MJEcFHnQNA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Garrett Robinson <grobinson@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Feb 3, 2014 at 12:38 PM, Brad Hill <hillbrad@gmail.com> wrote:
> "When considering interactions between a resource's policy and
> user-initiated changes to that resource, for example through extension
> mechanisms or bookmarklets, user agent implementors SHOULD take in to
> account the HTML5 Priority of Constituencies (link) when determining whether
> to enforce or report on a policy violation that would be generated by such
> changes."

A UA should take priority of constituencies into account for every
feature, so why call it out specifically here? A bookmarklet or
extension could have "user" priority (e.g. if the user created it
himself/herself) or it could have less of a priority (e.g. if it was
sideloaded spyware).  Besides that, SHOULD-level requirements are
better left for requirements/recommendations on implementations, not
on implementors.

If the spec should say anything about this, it is just that websites
cannot rely on CSP to prevent the UA (including extensions) from
injecting content into the page or modifying the page. IMO, that
should be pretty obvious, because the UA implements CSP so it doesn't
make sense to expect the UA's CSP implementation to protect the
website from the UA.

Cheers,
Brian
Received on Monday, 3 February 2014 21:03:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC