W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2019

Re: A modest content security proposal - use of "unsafe"

From: Mike West <mkwst@google.com>
Date: Tue, 23 Jul 2019 09:33:34 +0200
Message-ID: <CAKXHy=f=ebd9+58KvhDtcgpRmg5GDTHh4Xndv0YdVOc+qg4bhQ@mail.gmail.com>
To: Craig Francis <craig.francis@gmail.com>
Cc: Web Application Security Working Group <public-webappsec@w3.org>
I'm thinking mostly of the conversation around `unsafe-eval`, which some
developers took as a much more damning critique of their chosen programming
methods than I think we'd intended. I don't think that label, in
particular, was helpful.

I don't think I'd object to `unsafe-whatever` labels in whatever we do
next, but I would like to make sure that we generally think it's going to
be helpful to developer education on balance.

-mike


On Thu, Jul 18, 2019 at 3:03 PM Craig Francis <craig.francis@gmail.com>
wrote:

> In regards to the first bit, about the "unsafe" prefixes...
>
> When discussing best coding practices with other programmers, it has
> helped me confirm/show inline JavaScript is unsafe ("see, even the browsers
> are telling you it's unsafe").
>
> And it makes it easy to write about in a pen-test report, where it hardly
> needs an explanation (admittedly it's complicated by the nonce based
> approach, which needs it for backwards compatibility).
>
> I also believe it's being introduced/used in some programming languages
> (Rust and Haskell?) and some frameworks (unfortunately I don't have
> direct examples of these, just overhearing programmers talking about it in
> a positive way).
>
>
>
>
>
> On 16 Jul 2019, at 11:54, Mike West <mkwst@google.com> wrote:
>
> Thanks for your feedback! I'll concentrate on the resource confinement
> feedback, as it's the part I've thought least about, and I'd like to
> understand your perspective!
>
> On Mon, Jul 15, 2019 at 2:15 PM Craig Francis <craig.francis@gmail.com>
> wrote:
>
>> Initial thoughts from a web developer, one that really likes CSP...
>>
>> I like the idea of the browser providing the nonce, and that being used
>> to white-list scripting - it feels like a good way to prove the website did
>> intend to include that script. It also means the browser knows the nonce is
>> random/unique (where developers should still be careful, you're reflecting
>> a value back in your HTML).
>>
>> And simplifying the process by locking down <base>, <object>,
>> "javascript:" URLs, etc; that should set a good/simplier baseline (where I
>> think "allow" should be re-named "allow-unsafe", and I would prefer eval to
>> be "block" by default).
>>
>
> In hindsight, I don't think the `unsafe-` prefixes made us any friends in
> the development community. Nor do I think they stopped anyone from doing
> unsafe things. It just made them irate while they were doing so. :)
>
>
>
Received on Tuesday, 23 July 2019 07:34:09 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 23 July 2019 07:34:10 UTC