Re: Reporting should be explicitly optional (was Re: CSP formal objection.) from Bjoern Hoehrmann on 2014-02-11 (public-webappsec@w3.org from February 2014)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Tue, 11 Feb 2014 23:05:30 +0100
To: Mike West <mkwst@google.com>
Cc: Fred Andrews <fredandw@live.com>, Web Application Security Working Group <public-webappsec@w3.org>
Message-ID: <sr6lf95pbmldfaofadise4icpanijtu6se@hive.bjoern.hoehrmann.de>

* Mike West wrote:
>In the interests of reducing misunderstanding this time around, would you
>be willing to propose specific changes to the spec text? It might be more
>productive to discuss a specific pull request to
>https://github.com/w3c/webappsec/blob/master/specs/content-security-policy/csp-specification.dev.htmlthan
>to go back and forth about the extent of the dispute in more general
>terms.

I find it rather inappropriate to ask reviewers to edit the HTML for
you, it should be entirely sufficient to ask them to sketch out some
of the text or to sketch out changes that would remove their concern.

It seems to me adding something like the following might address it
(this is for illustrative purposes only, not an actual suggestion):

  Reporting and enforcement can have privacy and other implications
  and conforming user agents are free to apply policies selectively.
  For instance, user agents might offer the configuration option to
  report only on web sites the user visits frequently. It is incorrect
  for web sites to depend on reporting or enforcement or to use 
  reporting data for purposes other than those described in this 
  document.

Fred, how close or far off would that be? It is quite possible that
you have something considerably more elaborate in mind.

>If you're referring to the discussion we had a few months ago around the
>impact of reporting on user privacy, then I'd reassert the claim that CSP
>reporting doesn't make anything possible that isn't already possible via
>existing DOM APIs (MutationObserver, event listeners, delayed measurement
>via setTimeout, etc). We can have that discussion again, if you like.

That is never an acceptable response to privacy concerns.

>Authors can't depend on a user agent supporting CSP, and the spec
>explicitly positions the feature as defense-in-depth.

It seems entirely possible to write code that breaks when CSP is not
supported or only selectively enforced/reported.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

Received on Tuesday, 11 February 2014 22:05:58 UTC