W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP formal objection.

From: Glenn Adams <glenn@skynav.com>
Date: Wed, 29 Jan 2014 16:07:58 -0700
Message-ID: <CACQ=j+fDA_+-crXkUy_81vgJFYiKP6kkvneBM1gfknoyQ2BD1w@mail.gmail.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: Mike West <mkwst@google.com>, Neil Matatall <neilm@twitter.com>, "Hill, Brad" <bhill@paypal.com>, Brian Smith <brian@briansmith.org>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jan 29, 2014 at 3:39 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:

> * Mike West wrote:
> >With my editor hat on: there's no reasonable way to validate this sentence
> >for cross-browser compatibility. It is vague enough to allow multiple
> >interpretations (what does "interfere" mean, really?), and different
> >vendors allow add-ons different capabilities which the spec is necessarily
> >silent on. For instance, nothing in the spec notes that Chrome's content
> >settings should be able to block resources otherwise allowed by CSP.
> >
> >With my browser vendor hat on: I don't plan to change Chrome's behavior to
> >make extensions more subject to a page's CSP, regardless of this
> sentences'
> >presence in the spec. That runs counter to extensions' purpose, and the
> >priority of constituencies.
>
> The requirement is that when a CSP implementation enforces a CSP policy
> such that it grossly interferes with user intent, then people should be
> able to point out a part of the specification that very clearly says
> such interference is contrary to the requirements of the specification.
>

You appear to believe in a static, monolithic model of user intent. A
simple model, such as always ignore or always enforce CSP policy with
respect to an extension/addon installed by some (not necessarily the same)
user, is inadequate to address practical concerns. UA vendors appear to
recognize this, and need the flexibility to find an appropriate balance
based on a combination of dynamic interests.


>
> Such interference has the potential for causing harm, in the sense used
> in RFC 2119, and accordingly should be limited through appropriate re-
> quirements, as the CSP 1.0 Candidate Recommendation and the CSP 1.1 WD
> do.
>

Given there is not a consensus among browser vendors, it seems
inappropriate to specify an static approach at this juncture. Perhaps as
more experience is gained, new recommendations for standard, interoperable
behavior in this area may be developed.


> --
> Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
> Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
> 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
>
>
Received on Wednesday, 29 January 2014 23:08:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC