- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 19 Jun 2014 14:50:06 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
One roadblock for us in convincing our web devs to roll out CSP is the
amount of noise in the reports they get. Firefox could do a much better
job playing nice with add-ons, but we won't be able to completely
suppress what they're doing and add-ons aren't the only source of
content injection.
When creating a CSP-protected website you would normally adjust the
policy and fix bugs in the site until CSP reports no violations in
normal operation. After that point any CSP reports should indicate
either an attack or a bug in your site. However, in the real world
people have modified user-agents that trigger tons of spurious reports
an it would be nice if the policy could specify a way to suppress some
of this reporting.
There are several approaches that could be taken. These all address the
problem in different ways and could potentially be combined, or we could
decide only one (or none!) of these is interesting.
Capping reports per page
------------------------
If normal unmodified browsers have zero reports then any reports at all
should indicate a real attack. Modified add-on laden browsers generating
tons of inline script warnings don't tell you much, they are just noise
and load on the system. Therefore capping the reports at a small number
is good enough to diagnose real problems assuming you have a way to
filter out the noisy modified browsers.
Syntax (new directive): max-reports 5;
alternate keyword in report-uri directive:
report-uri 'max-5' http://mysite.com/cspreports;
The keyword is more compact and /should/ be backward compatible with old
implementations, but if it's not in practice then we'll have to use the
additional directive approach.
Throttling reports
------------------
If sites are not staffed to investigate and respond to individual CSP
reported attacks (and I expect very few are) then for a high-traffic
site a sampling approach would work to catch non-targeted mass attacks.
Today sites could manually simulate this by randomly adding the
report-uri directive X% of the time and serving the policy without the
rest of the time, but it may be useful to off-load that to the UA.
keyword approach: report-uri 'freq-XX' http://mysite/reports;
(where XX is an integer 1-99 representing a percentage)
directive approach: report-frequency 0.10;
(where the number is the odds of sending 0-1)
there's obviously not much point in setting the odds to 0 or 100%, just
use or don't use report-uri to get those states.
Selective reporting
-------------------
Sometimes you'd just like to reduce the noise in reporting but you don't
want to go so far as to allow the injected content or give up on
reporting. It would be nice to be able to suppress reports you already
know about but aren't going away any time soon (e.g. attempts by an ISP
to inject a tracker or ad).
I'm afraid people will want extreme flexibility with this (e.g. suppress
reports of flickr being loaded as an image but still warn if it shows up
elsewhere) but that would make the "suppress" directive exactly as
complex as the whole rest of the syntax. For now I'm proposing simply to
suppress reporting about sites no matter where they were used
dont-report flickr.com data: googleapis.com/some/path/ 'unsafe-eval';
I'm not convinced letting people suppress reports of unsafe-eval and
unsafe-inline is a good idea, just raising the possibility. We might
want to invent new keywords to distinguish 'script-inline' from
'style-inline' if we take this approach.
-Dan Veditz
Received on Thursday, 19 June 2014 21:50:32 UTC