W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Removal of the note about extensions

From: Mitar <mmitar@gmail.com>
Date: Sat, 22 Feb 2014 09:03:39 -0800
Message-ID: <CAKLmikPhL_8_i1fAP1soMokAso23fBmJVBXZ=ywQW0iQjiVYSA@mail.gmail.com>
To: public-webappsec@w3.org
Hi!

I would like to open another discussion about removal of the note
about extensions:

https://github.com/w3c/webappsec/commit/cbfaa8edfadebf21a9c7428242c12e45934d8c55

I read some of previous discussions on this topic and I must say that
I do not understand the reasons why it has been removed.

I understand that content providers might not like the idea of user
being able to override the behavior of the website, but I do believe
that this should be possible (even if it decreases security of the
user). Security features should not be used to prevent user control
over their browser. Standards should not encourage loss of control.
They might allow special types of browsers which lock user down for
special use cases (web kiosks, etc.), but standard behavior should not
be to lock users away from control.

An argument that this is unnecessary to repeat again in the CSP 1.1
because it is already established in priority of constituencies is for
me clearly false as otherwise there would not be so much effort put in
to remove this note. Redundancy is not necessary a bad thing if it
tries to remind a reader of the standard what is recommended behavior.
Not all readers know all standards and notes as those help.

I understand that this is hard to implement based on current browser
architectures, but many other features are hard to implement and
keeping them in the standard motivates vendors to implement them
sooner or later or for somebody to contribute a patch. It is hard to
contribute a patch if it is something which is not backed up by the
standard.

Additionally, most of the discussion was focused on browser
extensions/add-ons but I would like to make a case for bookmarklets as
well. All of those could be misused and social attacks tricking the
user to copy-paste unknown code somewhere are possible, but this
already happens even by running things from the developer console,
see:

https://stackoverflow.com/questions/21692646/how-does-facebook-disable-browsers-integrated-developer-tools

But at the end it is important to empower users. Bookmarklets are a
powerful way to do that and many simple web integrations are possible
through them. Especially because bookmarklets run in the site context
and do not have access to file system and other special resources,
while extensions/add-ons might do.

It is clear that this should be in the standard because otherwise
there would not be so much controversy about how exactly should CSP
interfer with user scripts and if at all. If it would be clear, than
it would be easy to write it down. It seems it is not easy, so let's
do the hard work and not just ignore the issue by removing the text.

Lastly, please do not use user security as an excuse to take control
away from the user. This is then a question of UI how is it done to
prevent users from running "wrong" scripts or extensions. A
confirmation dialog when they trigger or store a bookmarklet. A
manifest file requiring additional permission for extension. But this
is a wider issue. But what CSP standard should define is how to
increase security against cross-scripting attacks and clearly express
how to do that without taking control away from the user. This is the
job of the CSP standard. To define the latter as well.


Mitar

-- 
http://mitar.tnode.com/
https://twitter.com/mitar_m
Received on Saturday, 22 February 2014 17:04:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC