W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP formal objection.

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 29 Jan 2014 23:39:47 +0100
To: Mike West <mkwst@google.com>
Cc: Neil Matatall <neilm@twitter.com>, "Hill, Brad" <bhill@paypal.com>, Brian Smith <brian@briansmith.org>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <tevie9d7u44gnacmjq47v6id7ig9drlqkm@hive.bjoern.hoehrmann.de>
* Mike West wrote:
>With my editor hat on: there's no reasonable way to validate this sentence
>for cross-browser compatibility. It is vague enough to allow multiple
>interpretations (what does "interfere" mean, really?), and different
>vendors allow add-ons different capabilities which the spec is necessarily
>silent on. For instance, nothing in the spec notes that Chrome's content
>settings should be able to block resources otherwise allowed by CSP.
>With my browser vendor hat on: I don't plan to change Chrome's behavior to
>make extensions more subject to a page's CSP, regardless of this sentences'
>presence in the spec. That runs counter to extensions' purpose, and the
>priority of constituencies.

The requirement is that when a CSP implementation enforces a CSP policy
such that it grossly interferes with user intent, then people should be
able to point out a part of the specification that very clearly says
such interference is contrary to the requirements of the specification.

Such interference has the potential for causing harm, in the sense used
in RFC 2119, and accordingly should be limited through appropriate re-
quirements, as the CSP 1.0 Candidate Recommendation and the CSP 1.1 WD
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Wednesday, 29 January 2014 22:40:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC