W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2018

Re: [secure-contexts] Just this source, silence network communication

From: Chris Palmer <palmer@google.com>
Date: Mon, 16 Apr 2018 16:21:09 +0000
Message-ID: <CAOuvq20tdaoFz9EDoHkb93cgzHu_+zX2Xc69E=QxfGhKk9Zpsw@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: William Sharkey <williamsharkey@gmail.com>, public-webappsec@w3.org
On Sat, Apr 14, 2018 at 10:03 AM Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

I feel like a lot (most?) of the security headers and stuff we build
> is to help site operators (esp security teams for webapps) not make
> mistakes. Everyone could in theory write a secure site but in practice
> it is very hard. The same argument applies to CSP whitelist sources,
> suborigins, the referrer-policy header and so on. Setting it in one
> place makes security engineering's job a lot easier and the likelihood
> of bugs much lower.
>

Absolutely.

But in the original post, I sensed a possibility that such a mechanism
could grow to become a promise to users, in a way that I think CSP has not.
(And, when I have heard of this or similar threat models before, it was
explicitly expressed as a promise from the site operators to the users.
Maybe that's not what the original poster intended, but I'm always on the
look-out for promises we might be making but can't keep.)



Received on Monday, 16 April 2018 16:22:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 16 April 2018 16:22:10 UTC