W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP formal objection.

From: Glenn Adams <glenn@skynav.com>
Date: Mon, 27 Jan 2014 11:52:28 -0700
Message-ID: <CACQ=j+fKEjAQAe=XYfb4a1daM5VuPWyudQoQ9MTu2ac=zTxvbw@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jan 27, 2014 at 11:41 AM, Devdatta Akhawe <dev.akhawe@gmail.com>wrote:

> Hi Glen
>
> I agree that the UA should have the *option* of enforcing CSP over
> user-supplied scripts and addons. UAs can decide what they want to do
> to better serve their users according to their own priorities.
>
> But, I thought the current phrasing of "SHOULD NOT" is saying exactly
> that. Based on RFC 2119[1], can you say more explicitly what changing
> the current phrasing with "SHOULD NOT" to Option #2 with "MAY" will
> mean for browsers?
>

While it is true that SHOULD and SHOULD NOT are effectively optional, they
nevertheless represent formal recommendations to implementers and users
alike. In particular, they create an expectation on users that
implementations will follow such a recommendations, and it is often the
case that bug reports will be created against implementations that don't
follow a recommendation.

In contrast, the use of MAY or MAY NOT does not create or reinforce such an
expectation.

Since our preference is actually the opposite sense of the recommendation,
i.e., we would prefer "MUST enforce" policy as opposed to "SHOULD NOT
enforce" policy, we are not satisfied with merely leaving SHOULD NOT intact
since it continues to create expectations to the contrary of our
preference. In contrast, using MAY doesn't create such an expectation, and
gives more leeway to user agent vendor.


>
> Thanks
> Dev
>
> [1] http://www.ietf.org/rfc/rfc2119.txt
>
> On 27 January 2014 10:28, Glenn Adams <glenn@skynav.com> wrote:
> > Forwarding to WG ML for wider input.
> >
> > ---------- Forwarded message ----------
> > From: Mike West <mkwst@google.com>
> > Date: Mon, Jan 27, 2014 at 11:25 AM
> > Subject: Re: CSP formal objection.
> > To: Glenn Adams <glenn@skynav.com>
> >
> >
> > Great, thanks for putting this together. Would you mind making this
> proposal
> > publicly to the list so we can try to come to consensus ahead of
> Wednesday's
> > call?
> >
> > -mike
> >
> > --
> > Mike West <mkwst@google.com>
> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> >
> > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> > Registergericht und -nummer: Hamburg, HRB 86891
> > Sitz der Gesellschaft: Hamburg
> > Geschäftsführer: Graham Law, Christine Elizabeth Flores
> > (Sorry; I'm legally required to add this exciting detail to emails.
> Bleh.)
> >
> >
> > On Mon, Jan 27, 2014 at 10:19 AM, Glenn Adams <glenn@skynav.com> wrote:
> >>
> >>
> >>
> >>
> >> On Mon, Jan 27, 2014 at 10:10 AM, Mike West <mkwst@google.com> wrote:
> >>>
> >>> Hey Glenn,
> >>>
> >>> Where do you feel we are with
> >>> https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357 ?  I'd like to
> get CSP
> >>> 1.1 to last call relatively soon, so I'd like to understand what you
> think
> >>> needs to happen in order for you to consider your objection dealt with
> in a
> >>> way you're happy with.
> >>
> >>
> >> Option #1
> >>
> >> Our preference would be to simply remove the following text from 3.2.3:
> >>
> >> "Enforcing a policy should not interfere with the operation of
> >> user-supplied scripts such as third-party user-agent add-ons and
> JavaScript
> >> bookmarklets."
> >>
> >> Option #2
> >>
> >> However, absent removing this text, we could accept changing this to a
> >> note with a slight rewrite:
> >>
> >> "Note: A user agent may enforce a policy with respect to the operation
> of
> >> user-supplied scripts such as third-party user-agent add-ons and
> JavaScript
> >> bookmarklets."
> >>
> >> Option #3
> >>
> >> Our actual preference would be to restate the original text as:
> >>
> >> "A user agent must enforce a policy with respect to the operation of
> >> user-supplied scripts such as third-party user-agent add-ons and
> JavaScript
> >> bookmarklets."
> >>
> >> But we think the group won't accept this, thus we can accept (at this
> >> juncture) either option #1 or #2 or some equivalent.
> >>
> >> Regards,
> >> Glenn (for CoxCom)
> >>
> >>>
> >>>
> >>> Thanks!
> >>>
> >>> -mike
> >>>
> >>> --
> >>> Mike West <mkwst@google.com>
> >>> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> >>>
> >>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> >>> Registergericht und -nummer: Hamburg, HRB 86891
> >>> Sitz der Gesellschaft: Hamburg
> >>> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> >>> (Sorry; I'm legally required to add this exciting detail to emails.
> >>> Bleh.)
> >>
> >>
> >
> >
>
Received on Monday, 27 January 2014 18:53:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC