ISSUE-16: Editorial: CSP cannot dictate client behavior, only inform it

CSP informs client, cannot restrict it

Editorial: CSP cannot dictate client behavior, only inform it

State:
CLOSED
Product:
CSP Level 1
Raised by:
Brad Hill
Opened on:
2012-09-11
Description:
From LC comment from Fred Andrews:

http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0013.html

* "Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application restrict from where the application can load resources."

The application runs on users personal computers and they can choose to interpret these directives as they please so the wording appears rather disingenuous. Could I suggest:

"Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client from where the application needs to load resources."


* "To mitigate XSS, for example, a web application can restrict itself to loading scripts only from known, trusted URIs, making it difficult for an attacker who can inject content into the web application to inject malicious script."

Could I suggest:

"To mitigate XSS, for example, a web application can declare from where is needs to load scripts allowing the client to detect and block an attacker who can inject content into the web application to inject malicious script."


* "The term security policy, or simply policy, for the purposes of this specification refers to either:
a set of security preferences for restricting the behavior of content within a given resource, or
a fragment of text that codifies these preferences."

Could I suggest:
"The term resource restrictions policy, or simply policy, for the purposes of this specification refers to either: a set of resource restrictions within with the content can operate, or a fragment of text that codifies these restrictions."


* "A server transmits its security policy for a particular protected resource as a collection of directives, such as default-src 'self', each of which controls a specific set of privileges for that protected resource as instantiated by the user agent. More details are provided in the directives section."

The information being sent has nothing to do with the server security. The server can not implement its security at the client. The information is in no way capable of controlling a set of privileges on the server or the client. This wording is very confusing. Could I suggest:

"A server transmits the resource restrictions policy for a particular resource as a collection of directives, such as default-src 'self', each of which declares a specific set of restrictions for that resource as instantiated by the user agent. More details are provided in the directives section."
Related Actions Items:
No related actions
Related emails:
No related emails

Related notes:

Edits accepted by abarth for CR. Revision: http://dvcs.w3.org/hg/content-security-policy/file/d6c66fbd6917/csp-1.0-specification.html

Brad Hill, 25 Sep 2012, 01:02:56

Display change log ATOM feed

Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>, Chairs, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 16.html,v 1.1 2020/01/17 08:52:22 carcone Exp $