ISSUE-18: Use CSP to report app risk and compatibility with user specified restrictions

CSP as risk assessment score

Use CSP to report app risk and compatibility with user specified restrictions

State:
CLOSED
Product:
CSP Level 1
Raised by:
Brad Hill
Opened on:
2012-09-11
Description:
Last Call comment by Fred Andrews:

http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0013.html

There are some interesting ideas in this proposal and I suggest trying to recover some of these by changing the approach to communicating the restrictions within which an application can operate. Clients could also use such information to give users a risk assessment of an application - for example an application that does not require JS would be a much lower risk, applications that are not contacting third parties or do not store long term cookies could be rated as more private, applications that use only https could be rated as more secure, etc. It would also allow clients to determine if applications will work under the restrictive settings that they have set. There seems to be scope for a much more positive contribution here, and it needs to take into account client extensions which could be a difficult issue to resolve.
Related Actions Items:
No related actions
Related emails:
No related emails

Related notes:

This is perhaps a useful idea that could be implemented independently as an extension, but it is not the core goal of CSP that the WG was chartered to produce. In particular, few applications are represented as a single resource, and resources are not required to have a static policy over time or across multiple loads. So, for the standard, interoperable case of the Web, CSP is not a permissions manifest of sort envisioned here. There is nothing preventing individual packaged application formats using web technologies from using CSP in this manner, but such uses are implementation dependent.

Brad Hill, 11 Sep 2012, 21:51:47

Responses to this issue can be found in the following threads: (there are often several replies, so it is suggested to view "Contemporary messages sorted by thread".

http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0008.html

The group's decision to close this issue without changing spec behavior was recorded in the minutes to the following teleconferences:

http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-25-Sep-2012.html
http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-23-Oct-2012.html

Brad Hill, 26 Oct 2012, 20:40:39

Display change log ATOM feed

Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>, Chairs, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 18.html,v 1.1 2020/01/17 08:52:23 carcone Exp $