- From: Mitar <mmitar@gmail.com>
- Date: Sat, 22 Feb 2014 09:03:39 -0800
- To: public-webappsec@w3.org
Hi! I would like to open another discussion about removal of the note about extensions: https://github.com/w3c/webappsec/commit/cbfaa8edfadebf21a9c7428242c12e45934d8c55 I read some of previous discussions on this topic and I must say that I do not understand the reasons why it has been removed. I understand that content providers might not like the idea of user being able to override the behavior of the website, but I do believe that this should be possible (even if it decreases security of the user). Security features should not be used to prevent user control over their browser. Standards should not encourage loss of control. They might allow special types of browsers which lock user down for special use cases (web kiosks, etc.), but standard behavior should not be to lock users away from control. An argument that this is unnecessary to repeat again in the CSP 1.1 because it is already established in priority of constituencies is for me clearly false as otherwise there would not be so much effort put in to remove this note. Redundancy is not necessary a bad thing if it tries to remind a reader of the standard what is recommended behavior. Not all readers know all standards and notes as those help. I understand that this is hard to implement based on current browser architectures, but many other features are hard to implement and keeping them in the standard motivates vendors to implement them sooner or later or for somebody to contribute a patch. It is hard to contribute a patch if it is something which is not backed up by the standard. Additionally, most of the discussion was focused on browser extensions/add-ons but I would like to make a case for bookmarklets as well. All of those could be misused and social attacks tricking the user to copy-paste unknown code somewhere are possible, but this already happens even by running things from the developer console, see: https://stackoverflow.com/questions/21692646/how-does-facebook-disable-browsers-integrated-developer-tools But at the end it is important to empower users. Bookmarklets are a powerful way to do that and many simple web integrations are possible through them. Especially because bookmarklets run in the site context and do not have access to file system and other special resources, while extensions/add-ons might do. It is clear that this should be in the standard because otherwise there would not be so much controversy about how exactly should CSP interfer with user scripts and if at all. If it would be clear, than it would be easy to write it down. It seems it is not easy, so let's do the hard work and not just ignore the issue by removing the text. Lastly, please do not use user security as an excuse to take control away from the user. This is then a question of UI how is it done to prevent users from running "wrong" scripts or extensions. A confirmation dialog when they trigger or store a bookmarklet. A manifest file requiring additional permission for extension. But this is a wider issue. But what CSP standard should define is how to increase security against cross-scripting attacks and clearly express how to do that without taking control away from the user. This is the job of the CSP standard. To define the latter as well. Mitar -- http://mitar.tnode.com/ https://twitter.com/mitar_m
Received on Saturday, 22 February 2014 17:04:07 UTC