W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [MIX] 4.5 User Controls

From: Brad Hill <hillbrad@gmail.com>
Date: Sun, 2 Nov 2014 18:17:04 -0800
Message-ID: <CAEeYn8juZt-JKw6HKNRZ59Z-W2N-oQdex45scv6nsp36qSK4Bw@mail.gmail.com>
To: "Mike O'Neill" <michael.oneill@baycloud.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>
Mike, there are a number of extensions (browser-specific) that allow
setting (or adding) user specified content security policies.
Certainly the spec doesn't forbid this, either.

See, e.g. "User CSP" on Firefox and "Caspr: Enforcer" and "Content
Security Policy Modifier" for Chrome.

 I doubt there is much interest in directly providing this as a core
user-agent feature given the likely size of the audience for this kind
of feature.

-Brad

On Fri, Oct 31, 2014 at 2:20 AM, Mike O'Neill
<michael.oneill@baycloud.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Has there been any consideration for UA settings being able to make the CSP more restrictive? Like using the presence of a DNT header or an opt-in cookie? Something like
>
> script-src adco.fr[dnt:0] scriptlib.com;
>
> adco.fr only gets allowed if DNT:0 is present.
>
> Or for an opt-in cookie:
>
> script-src adco.fr[cookie:consent=yes] scriptlib.com;
>
> Mike O'Neill
>
>
>> -----Original Message-----
>> From: annevankesteren@gmail.com [mailto:annevankesteren@gmail.com] On
>> Behalf Of Anne van Kesteren
>> Sent: 31 October 2014 08:35
>> To: Brad Hill
>> Cc: Mike West; WebAppSec WG
>> Subject: Re: [MIX] 4.5 User Controls
>>
>> On Fri, Oct 31, 2014 at 9:29 AM, Brad Hill <hillbrad@gmail.com> wrote:
>> > I don't want users to be socially engineered into attacking
>> > themselves, either, but we respect the priority of constituencies.  In
>> > the end, it is the user's agent, not the resource's.  UAs can make
>> > choices to warn users or make it difficult to do harm to themselves,
>> > and some might not provide any affordances around CSP, but I don't
>> > think it's appropriate to add normative text forbidding the user to
>> > modify CSP.
>>
>> I guess that's fair. But then I think I stand by my request to make it
>> clear in MIX that not all blocked fetches are equal and that you
>> probably don't want to use the same UI to cater to e.g. CSP and MIX.
>> Or MIX could simply not say anything about user control either...
>>
>>
>> --
>> https://annevankesteren.nl/
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (MingW32)
> Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/
> Charset: utf-8
>
> iQEcBAEBAgAGBQJUU1RvAAoJEHMxUy4uXm2JiJoH/2SvDAlZ2LOiVXwsxeANxeOV
> PqplSOSp+2vPDx0eGsiZLnMLCLbhLHVaj8b4HTzvQiKL1v31HTVi/ybiEY/DOta9
> o/r7GX9eqoUT3vH4W4h3b2CFGdVP8KTSTUa0Xd9pHXUs13zfUGElHXcR1G/UQpJC
> KY3d3ygJ13/Usn1dSeJ6ik+C6SNlTUlCTjst2YgNxEiNJYgREuymbABlp4kQ34yO
> tSWUBWounprP1JSwM6VSb7YTMCkBLs6xgJlc2pl26344iWadBNzEzXhkdN+VdZh2
> Ff5m0v7GXNfYHNh7RvmOBYv1d7FOF739QKlOFz+X+K+rLUbJcpL+yluNl29MI94=
> =9uxZ
> -----END PGP SIGNATURE-----
>
Received on Monday, 3 November 2014 02:17:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC