- From: Brad Hill <hillbrad@gmail.com>
- Date: Sun, 2 Nov 2014 18:17:04 -0800
- To: "Mike O'Neill" <michael.oneill@baycloud.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>
Mike, there are a number of extensions (browser-specific) that allow setting (or adding) user specified content security policies. Certainly the spec doesn't forbid this, either. See, e.g. "User CSP" on Firefox and "Caspr: Enforcer" and "Content Security Policy Modifier" for Chrome. I doubt there is much interest in directly providing this as a core user-agent feature given the likely size of the audience for this kind of feature. -Brad On Fri, Oct 31, 2014 at 2:20 AM, Mike O'Neill <michael.oneill@baycloud.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Has there been any consideration for UA settings being able to make the CSP more restrictive? Like using the presence of a DNT header or an opt-in cookie? Something like > > script-src adco.fr[dnt:0] scriptlib.com; > > adco.fr only gets allowed if DNT:0 is present. > > Or for an opt-in cookie: > > script-src adco.fr[cookie:consent=yes] scriptlib.com; > > Mike O'Neill > > >> -----Original Message----- >> From: annevankesteren@gmail.com [mailto:annevankesteren@gmail.com] On >> Behalf Of Anne van Kesteren >> Sent: 31 October 2014 08:35 >> To: Brad Hill >> Cc: Mike West; WebAppSec WG >> Subject: Re: [MIX] 4.5 User Controls >> >> On Fri, Oct 31, 2014 at 9:29 AM, Brad Hill <hillbrad@gmail.com> wrote: >> > I don't want users to be socially engineered into attacking >> > themselves, either, but we respect the priority of constituencies. In >> > the end, it is the user's agent, not the resource's. UAs can make >> > choices to warn users or make it difficult to do harm to themselves, >> > and some might not provide any affordances around CSP, but I don't >> > think it's appropriate to add normative text forbidding the user to >> > modify CSP. >> >> I guess that's fair. But then I think I stand by my request to make it >> clear in MIX that not all blocked fetches are equal and that you >> probably don't want to use the same UI to cater to e.g. CSP and MIX. >> Or MIX could simply not say anything about user control either... >> >> >> -- >> https://annevankesteren.nl/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (MingW32) > Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/ > Charset: utf-8 > > iQEcBAEBAgAGBQJUU1RvAAoJEHMxUy4uXm2JiJoH/2SvDAlZ2LOiVXwsxeANxeOV > PqplSOSp+2vPDx0eGsiZLnMLCLbhLHVaj8b4HTzvQiKL1v31HTVi/ybiEY/DOta9 > o/r7GX9eqoUT3vH4W4h3b2CFGdVP8KTSTUa0Xd9pHXUs13zfUGElHXcR1G/UQpJC > KY3d3ygJ13/Usn1dSeJ6ik+C6SNlTUlCTjst2YgNxEiNJYgREuymbABlp4kQ34yO > tSWUBWounprP1JSwM6VSb7YTMCkBLs6xgJlc2pl26344iWadBNzEzXhkdN+VdZh2 > Ff5m0v7GXNfYHNh7RvmOBYv1d7FOF739QKlOFz+X+K+rLUbJcpL+yluNl29MI94= > =9uxZ > -----END PGP SIGNATURE----- >
Received on Monday, 3 November 2014 02:17:33 UTC