- From: Florian Weber <fweber@rebrush.de>
- Date: Thu, 23 Oct 2014 21:46:25 +0200
- To: Sean Snider <ssnider@yahoo-inc.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CABHFno2kGAxA1=T4Eo=BBdDfuQZ1C+e141gUYtcb+j6Zq2yV3w@mail.gmail.com>
Pew.... So I guess my Idea was not that good. But now I have a good feeling because I know why CSP is working like it is at that point. Thanks guys for making the Web safer :) Greetings Florian 2014-10-23 7:33 GMT+02:00 Sean Snider <ssnider@yahoo-inc.com>: > Yeah see I totally disagree with this. . . no way do I think an nonce > inline should be able to generate > > an external script and get automatic vetting. . .that defeats the whole > purpose. . . > > > > If it’s an external URL, loading into the main page, it’s not just a > security risk, but a performance risk, > > a stability risk etc. And since’s it’s a URL, it’s response can change at > will, at any time. . .basically > > meaning that if you are not white-listing by URI or nonce + inline, there > is no “real” way that you > > can trust the content. . . b/c your just skipping over it. . . it defeats > the whole purpose. . . > > > > And further (as I work at Yahoo and the IAB), no site . . .not one single > site, “trusts” 3rd party script. > > > > The sites that allow raw JavaScript from ads on their pages are doing so > only b/c they don’t feel > > they have any data in page, or via cookies, or whatever that they need to > protect. . but in many many > > cases, that’s simply b/c the developers of the site are not informed > enough. . . > > > In fact that model is very quickly dying. . . most folks are sandboxing. . > . either using a plain IFRAME, > > a SafeFrame, or some variant of CAJA or FBJS. Display ads and 3rd party > dynamically downloaded > > content is fine (in fact plenty of mashup type modules out there that fit > in this category as well), > > but no site should ever be loading that stuff raw into their main page . . > . it’s just way too risky. > > > > For anything dynamic. . .honestly the only thing I can think of is > sandboxing. . . white-list just doesn’t > > work in that case except for at very base levels (like plugin-types for > example). > > > > Sean > > > > > > *From:* fwebdev@gmail.com [mailto:fwebdev@gmail.com] *On Behalf Of *Florian > Weber > *Sent:* Tuesday, October 21, 2014 2:17 PM > *To:* Anne van Kesteren; public-webappsec@w3.org > *Subject:* Re: Allow dynamically inserted <script>-Tags from trustworthy > Scripts > > > > The Site Owner has the choice to trust the Thirtparty Script by giving it > a valid nonce in firstplace. > > If we trust that Thirdparty they can run any Javascript they want. Why > should they not be allowed to insert another script? > > > > The other solution is to use unsafe-inline which doesn't make the web much > safer. > > > > There already was a discussion about this Topic on the List some time ago. > There was a kind of 50/50 feeling about preventing or allowing this > behavior. > > > > http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0033.html > > > > > > > > 2014-10-21 13:43 GMT+02:00 Anne van Kesteren <annevk@annevk.nl>: > > On Tue, Oct 21, 2014 at 1:14 PM, Florian Weber <fweber@rebrush.de> wrote: > > There are a lot of Tracking and Advertisment Scripts out there and I > think > > it would be a lot easier to adopt CSP (without the use of unsafe-inline) > if > > the behavior would be changed. > > How do you envision changing the behavior while retaining the security? > > > -- > https://annevankesteren.nl/ > > > > 2014-10-21 22:54 GMT+02:00 Florian Weber <fweber@rebrush.de>: > > The Site Owner has the choice to trust the Thirtparty Script by giving it > a valid nonce in firstplace. > > If we trust that Thirdparty they can run any Javascript they want. Why > should they not be allowed to insert another script? > > > > The other solution is to use unsafe-inline which doesn't make the web much > safer. > > > > There already was a discussion about this Topic on the List some time ago. > There was a kind of 50/50 feeling about preventing or allowing this > behavior. > > > > http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0033.html > > > > > > > > 2014-10-21 13:43 GMT+02:00 Anne van Kesteren <annevk@annevk.nl>: > > On Tue, Oct 21, 2014 at 1:14 PM, Florian Weber <fweber@rebrush.de> wrote: > > There are a lot of Tracking and Advertisment Scripts out there and I > think > > it would be a lot easier to adopt CSP (without the use of unsafe-inline) > if > > the behavior would be changed. > > How do you envision changing the behavior while retaining the security? > > > -- > https://annevankesteren.nl/ > > > > > > -- > > Über mich bei Google Plus > <https://plus.google.com/103885057599472805071/posts>,Twitter > <http://@fwebdev>, XING <https://www.xing.com/profile/Florian_Weber7> > > > > > > > > -- > > Über mich bei Google Plus > <https://plus.google.com/103885057599472805071/posts>,Twitter > <http://@fwebdev>, XING <https://www.xing.com/profile/Florian_Weber7> > > > -- Über mich bei Google Plus <https://plus.google.com/103885057599472805071/posts>,Twitter <http://@fwebdev>, XING <https://www.xing.com/profile/Florian_Weber7>
Received on Thursday, 23 October 2014 19:46:52 UTC