ISSUE-18: Use CSP to report app risk and compatibility with user specified restrictions
CSP as risk assessment score
Use CSP to report app risk and compatibility with user specified restrictions
- State:
- CLOSED
- Product:
- CSP Level 1
- Raised by:
- Brad Hill
- Opened on:
- 2012-09-11
- Description:
- Last Call comment by Fred Andrews:
http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0013.html
There are some interesting ideas in this proposal and I suggest trying to recover some of these by changing the approach to communicating the restrictions within which an application can operate. Clients could also use such information to give users a risk assessment of an application - for example an application that does not require JS would be a much lower risk, applications that are not contacting third parties or do not store long term cookies could be rated as more private, applications that use only https could be rated as more secure, etc. It would also allow clients to determine if applications will work under the restrictive settings that they have set. There seems to be scope for a much more positive contribution here, and it needs to take into account client extensions which could be a difficult issue to resolve. - Related Actions Items:
- No related actions
- Related emails:
- No related emails
Related notes:
This is perhaps a useful idea that could be implemented independently as an extension, but it is not the core goal of CSP that the WG was chartered to produce. In particular, few applications are represented as a single resource, and resources are not required to have a static policy over time or across multiple loads. So, for the standard, interoperable case of the Web, CSP is not a permissions manifest of sort envisioned here. There is nothing preventing individual packaged application formats using web technologies from using CSP in this manner, but such uses are implementation dependent.
Brad Hill, 11 Sep 2012, 21:51:47Responses to this issue can be found in the following threads: (there are often several replies, so it is suggested to view "Contemporary messages sorted by thread".
http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0008.html
The group's decision to close this issue without changing spec behavior was recorded in the minutes to the following teleconferences:
http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-25-Sep-2012.html
http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-23-Oct-2012.html
Display change log