W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

[CSP] Request to amend bookmarklet/extensions sentence in CSP1.1

From: Gregory Huczynski <gh_online@me.com>
Date: Tue, 15 Jul 2014 08:47:11 +0100
Message-id: <693A2D35-4AF9-44B5-AA3D-237CD39146BF@me.com>
To: public-webappsec@w3.org
Hi there,

Having read through the latest CSP 1.1 working draft, I would like to propose that the sentence referring to bookmarklets and third-party additions is reverted back to its original CSP 1.0 form.

Specifically, the sentence:

"Note: User agents may allow users to modify or bypass policy enforcement through user preferences, bookmarklets, third-party additions to the user agent, and other such mechanisms.

is reverted back to:

Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets."

I understand that the change to the new 1.1 form was a consensus decision, with multiple discussions on the webappsec mailing list and github in February/March. For reference, I have collated the relevant communications below. It appears that: 1 person requested the change and strongly argued for it, 1 agreed, 2 others agreed on the grounds that a "standard have no business with UI-level features", and 16 argued against it.

The new sentence in CSP 1.1 weakens the position of user-installed bookmarklets and browser extensions, by opening the possibility that they are subject to a page author's content security policy. Makers of such bookmarklets and extensions should have an opportunity to reply.

There was no input to the consensus decision from any individuals or companies who make popular bookmarklets or extensions - who would like a say on this change if they were aware of it. I will be making such individuals and companies aware of the CSP 1.1 draft, such that they have an opportunity to comment before the deadline closes on 13 August 2014.

Below follows a fuller explanation of why the sentence should revert to the 1.0 version, and a collation of related communications so far.

Kind regards

Gregory Huczynski

Fuller explanation

If the user installs bookmarklets or extensions to act on their behalf, they should not be affected by a page author's content security policy. This would reflect the "Priority of Constituencies" (http://www.w3.org/TR/html-design-principles/#priority-of-constituencies) which places the rights and concerns of users ahead of content authors.  The original CSP 1.0 sentence definitively constrains the scope of a content author's page security policy: the policy should not affect the operation of user-installed third-party additions.

The new CSP 1.1 sentence is a far weaker guideline. It opens the possibility that user-installed third-party additions can be subject to a page author's content security policy, depending on user agent. This does not reflect the "Priority of Constituencies", raises the possibility that a content author ultimately decides what user-installed bookmarklets and extensions can operate on their pages, and makes it harder to raise bugs against user-agents that aim for W3C CSP conformance.

Various services exist that offer users the ability to augment, transform or interact with any page on the www: functionality like page translation, bookmarking, and reformatting. They provide functionality in the form of bookmarklets and browser extensions - which millions of users have chosen to install and use every day. These services are now starting to fail on various web-sites with a content security policy. The bookmarklets/extensions use script/style/iframe https injection to function, and Firefox and Chrome are now blocking this behaviour - they are applying a web-page’s whitelisted-origin policy. Bugs have been raised against these browsers [1][2], and the definitive language in CSP 1.0 provided a strong case for this behaviour to be fixed. The new CSP 1.1 wording does not require this behaviour to be treated as a user-agent bug, according to the standard. It therefore brings into question the long-term viability of such cross-website services that depend on this technical bookmarklet/extension approach. It also raises uncertainty over innovation in cross-website services.

For the sake of the millions of users who trust and gain value from cross-website bookmarklets and extensions, we should put their existence on a definitive footing and return to the original CSP 1.0. sentence. 

For reference:
[1] Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=866522
[2] Chrome bug: https://code.google.com/p/chromium/issues/detail?id=233903

Collation of related communications

Bug opened: 'Subverting CSP policies for browser add-ons'

'CSP formal objection' email thread:

Entire bookmarklet sentence is removed from CSP 1.1 draft
Github commit references public-webappsec email:

'Removal of the note about extensions' email thread
Final email:

WebAppSec WG Teleconference 26-Feb-2014 minutes:

Bookmarklet sentence added back, as a weak guideline.
Received on Tuesday, 15 July 2014 07:47:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC