[whatwg] Clickjacking and CSRF

Thu Jul 16 14:25:36 PDT 2009

On Thu, Jul 16, 2009 at 4:25 PM, Jonas Sicking<jonas at sicking.cc> wrote:
> We've actually proposed it to the webapps list, but got little to no
> response. I'm not sure if we at this time have anyone that would have
> the resources to offer to be editor for a W3C CSP spec, if any of the
> WGs there are interested to host it.
>
> So in short, yes, we'd love to have it standardized, but so far
> haven't found a path to make that practically happen.
>
> But, as Mike said, we'd love to get feedback, and we'd love to get it
> now. So far most of the feedback we've gotten has been "looks
> interesting" which we take as a pretty good sign, but a little lacking
> in detail :)

As a web developer, I'd say it looks awesome.  It could allow at least
major web apps and big sites (i.e., those willing to put in the
effort) to become almost immune to XSS, while XSS in complicated web
apps seems to be as inevitable as death and taxes right now.  XSS is
to web apps right now kind of like what buffer overflows are to C:
probably there are some people or institutions that are careful enough
to *always* get it right, but there sure aren't many.

Of course, if only Mozilla implements it, it will be of limited value.
 I was concerned that none of the announcements said anything about
standardizing it or working with other browser vendors, just about
what Mozilla was doing.  I'm glad to hear that it's not intended to be
Mozilla-specific, and hope other browsers pick up on it.

report-uri would still be really useful even if only Mozilla
implemented the spec, as long as Firefox has good market share.
That's a particularly cool feature, I wouldn't have thought of it.

I guess this approach has pitfalls.  Every admin will have to manually
specify that they accept scripts from Analytics/their ad
provider/etc., etc.  I guess for web apps, they could still ship with
CSP enabled by default, and just require admins to add new script
links through some interface that automatically updates the policy.

What I'd really love to see is if all major web apps could at some
point ship with full CSP enabled by default.  I'm not clear yet on
whether it would work in practice, or if it would break too many
things and we'd realistically have to leave it opt-in.  I'm hoping
that report-uri would be a good solution to this: the app could have a
page that would automatically mail the admin with enough instructions
that they could fix the problem easily whenever one occurs.

Is there support in the spec for pinging the report-uri on violations,
but still allowing the violation to go through?  That could allow much
easier deployment, so that you could verify that your policy wasn't
blocking anything legitimate.  I don't see it anywhere, but I didn't
look very hard.

So those are my comments.  In short, I think the idea is great.  I can
pretty much guarantee that Wikimedia will be interested in trying it
out as soon as there are dev builds of Firefox that support it,
especially if we can have it report-only initially.