RE: [MIX] 4.5 User Controls from Mike O'Neill on 2014-10-31 (public-webappsec@w3.org from October 2014)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Fri, 31 Oct 2014 09:20:47 -0000
To: "'Anne van Kesteren'" <annevk@annevk.nl>, "'Brad Hill'" <hillbrad@gmail.com>
Cc: "'Mike West'" <mkwst@google.com>, "'WebAppSec WG'" <public-webappsec@w3.org>
Message-ID: <0e3101cff4eb$f5e5be40$e1b13ac0$@baycloud.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Has there been any consideration for UA settings being able to make the CSP more restrictive? Like using the presence of a DNT header or an opt-in cookie? Something like 

script-src adco.fr[dnt:0] scriptlib.com;

adco.fr only gets allowed if DNT:0 is present.

Or for an opt-in cookie:

script-src adco.fr[cookie:consent=yes] scriptlib.com;

Mike O'Neill


> -----Original Message-----
> From: annevankesteren@gmail.com [mailto:annevankesteren@gmail.com] On
> Behalf Of Anne van Kesteren
> Sent: 31 October 2014 08:35
> To: Brad Hill
> Cc: Mike West; WebAppSec WG
> Subject: Re: [MIX] 4.5 User Controls
> 
> On Fri, Oct 31, 2014 at 9:29 AM, Brad Hill <hillbrad@gmail.com> wrote:
> > I don't want users to be socially engineered into attacking
> > themselves, either, but we respect the priority of constituencies.  In
> > the end, it is the user's agent, not the resource's.  UAs can make
> > choices to warn users or make it difficult to do harm to themselves,
> > and some might not provide any affordances around CSP, but I don't
> > think it's appropriate to add normative text forbidding the user to
> > modify CSP.
> 
> I guess that's fair. But then I think I stand by my request to make it
> clear in MIX that not all blocked fetches are equal and that you
> probably don't want to use the same UI to cater to e.g. CSP and MIX.
> Or MIX could simply not say anything about user control either...
> 
> 
> --
> https://annevankesteren.nl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/
Charset: utf-8

iQEcBAEBAgAGBQJUU1RvAAoJEHMxUy4uXm2JiJoH/2SvDAlZ2LOiVXwsxeANxeOV
PqplSOSp+2vPDx0eGsiZLnMLCLbhLHVaj8b4HTzvQiKL1v31HTVi/ybiEY/DOta9
o/r7GX9eqoUT3vH4W4h3b2CFGdVP8KTSTUa0Xd9pHXUs13zfUGElHXcR1G/UQpJC
KY3d3ygJ13/Usn1dSeJ6ik+C6SNlTUlCTjst2YgNxEiNJYgREuymbABlp4kQ34yO
tSWUBWounprP1JSwM6VSb7YTMCkBLs6xgJlc2pl26344iWadBNzEzXhkdN+VdZh2
Ff5m0v7GXNfYHNh7RvmOBYv1d7FOF739QKlOFz+X+K+rLUbJcpL+yluNl29MI94=
=9uxZ
-----END PGP SIGNATURE-----

Received on Friday, 31 October 2014 09:21:39 UTC