W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC: Transition CSP2 to CR.

From: Brian Smith <brian@briansmith.org>
Date: Fri, 6 Feb 2015 11:11:40 -0800
Message-ID: <CAFewVt555S16bRicbDY9zc5_irwAct0UOKouVVM+vfGWdWOFZw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
On Tue, Jan 27, 2015 at 7:42 AM, Mike West <mkwst@google.com> wrote:
> The potentially contentious issue I'm aware of is the overarching question
> of whether CSP is a purely negative control, or whether directives like
> `referrer` and `reflected-xss` (which can arguably weaken a document's
> default security settings) fits into the processing model. Brian has made a
> strong case for dropping them (see the last two paragraphs in
> https://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0150.html),
> and I've marked both as "At Risk" in the CR draft. I wouldn't mind deferring
> the specification of both to CSP3, though I very much want to give folks
> like Twitter a mechanism to get redirectors like `t.co` fully onto HTTPS
> (which `referrer` promises to do). Perhaps a compromise that drops
> 'unsafe-url' but retains 'origin' would be a reasonable stopgap while we
> hammer out Referrer Policy separately?

I think it is best to move "referrer" to the referrer-policy document?
IMO, it makes more sense there, and it will be easier to keep it in
sync with major changes to referrer policy, which seem very likely at
this point. Note that the Mixed Content draft already defines a CSP
directive outside of the CSP spec, so there's now precedent for that.
Otherwise, I don't see how CSP2 can advance to CR until
referrer-policy advances to CR.

As for reflected-xss, I agree with deferring it to CSP3. Even if the
working group ultimately decides that CSP shouldn't be a purely
restrictive mechanism, there are several issues with how reflected-xss
is specified (and underspecified) in the CSP2 draft. (I think I have a
rough list of issues with reflected-xss that need to be addressed, if
somebody wants them. But, I don't have time to write it up in the same
level of detail I usually provide.)

> Are there other issues which I've missed, or insufficiently addressed?

There are other two major issues that are close to being resolved, but
haven't been resolved enough for the draft to advance to CR:

1. The semantics of CSP nonce. It is clear what Mike thinks, and I
hope it is clear what I think, but it is not clear whether others'
silence is agreement with what the spec currently says, apathy, or an
indication that the issue hasn't been sufficiently considered. I think
it is better for the spec to be made more secure by making the changes
I suggested in the "Clarifications on nonces" thread, but if there's a
consensus in the working group that it is important for the nonce to
be able to be passed around like a bearer token, I won't argue
further. My concern is that it hasn't been adequately considered.

2. As I mentioned previously, I think it is really unfortunate that
CSP2 isn't properly Unicode-enabled. I know that nobody is
intentionally trying to discriminate against any group of people, but
IMO this incidental discrimination shouldn't be accepted either. I
think this issue deserves the same level of consideration as
accessibility for people with visual impairments. (Note I'm not trying
to diminish the importance of accessibility work.)

There are probably other minor issues, but I think that they can be
resolved during CR.

Cheers,
Brian
Received on Friday, 6 February 2015 19:12:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC