- From: Brian Smith <brian@briansmith.org>
- Date: Fri, 6 Feb 2015 11:11:40 -0800
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
On Tue, Jan 27, 2015 at 7:42 AM, Mike West <mkwst@google.com> wrote: > The potentially contentious issue I'm aware of is the overarching question > of whether CSP is a purely negative control, or whether directives like > `referrer` and `reflected-xss` (which can arguably weaken a document's > default security settings) fits into the processing model. Brian has made a > strong case for dropping them (see the last two paragraphs in > https://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0150.html), > and I've marked both as "At Risk" in the CR draft. I wouldn't mind deferring > the specification of both to CSP3, though I very much want to give folks > like Twitter a mechanism to get redirectors like `t.co` fully onto HTTPS > (which `referrer` promises to do). Perhaps a compromise that drops > 'unsafe-url' but retains 'origin' would be a reasonable stopgap while we > hammer out Referrer Policy separately? I think it is best to move "referrer" to the referrer-policy document? IMO, it makes more sense there, and it will be easier to keep it in sync with major changes to referrer policy, which seem very likely at this point. Note that the Mixed Content draft already defines a CSP directive outside of the CSP spec, so there's now precedent for that. Otherwise, I don't see how CSP2 can advance to CR until referrer-policy advances to CR. As for reflected-xss, I agree with deferring it to CSP3. Even if the working group ultimately decides that CSP shouldn't be a purely restrictive mechanism, there are several issues with how reflected-xss is specified (and underspecified) in the CSP2 draft. (I think I have a rough list of issues with reflected-xss that need to be addressed, if somebody wants them. But, I don't have time to write it up in the same level of detail I usually provide.) > Are there other issues which I've missed, or insufficiently addressed? There are other two major issues that are close to being resolved, but haven't been resolved enough for the draft to advance to CR: 1. The semantics of CSP nonce. It is clear what Mike thinks, and I hope it is clear what I think, but it is not clear whether others' silence is agreement with what the spec currently says, apathy, or an indication that the issue hasn't been sufficiently considered. I think it is better for the spec to be made more secure by making the changes I suggested in the "Clarifications on nonces" thread, but if there's a consensus in the working group that it is important for the nonce to be able to be passed around like a bearer token, I won't argue further. My concern is that it hasn't been adequately considered. 2. As I mentioned previously, I think it is really unfortunate that CSP2 isn't properly Unicode-enabled. I know that nobody is intentionally trying to discriminate against any group of people, but IMO this incidental discrimination shouldn't be accepted either. I think this issue deserves the same level of consideration as accessibility for people with visual impairments. (Note I'm not trying to diminish the importance of accessibility work.) There are probably other minor issues, but I think that they can be resolved during CR. Cheers, Brian
Received on Friday, 6 February 2015 19:12:07 UTC