Intent to Implement: `sample` property for CSP reports.

69 views
Skip to first unread message

Mike West

unread,
Mar 2, 2017, 3:59:08 AM3/2/17
to blink-dev

Contact emails

mk...@chromium.org


Spec

https://w3c.github.io/webappsec-csp/#deprecated-serialize-violation


Summary

Firefox has shipped a `script-sample` property in CSP violation reports since their initial implementation, while other browsers have not done the same for various reasons outlined in the thread at https://lists.w3.org/Archives/Public/public-webappsec/2016Oct/0016.html. The `sample` property attempts to reach concensus on an opt-in variant Firefox's behavior. In short, we'll collect a 40-character sample for inline script and style violations, and include it in the violation report (and associated SecurityPolicyViolationEvent object) iff a 'report-sample' expression is present in the violated directive.

That is, given:

    script-src 'nonce-abc' 'report-sample'

and:

    <script>alert(1);</script>

The violation report would include:

    {
      ...
      "sample": "alert(1);"
    }

Motivation

Artur (CC'd) lays out the Google security team's perspective on samples in violation reports at https://github.com/w3c/webappsec-csp/issues/119#issue-179078142: without a sample, detecting and eliminating inline script violations is practically impossible. This is a request I've heard echoed from basically everyone else who collects violation reports at scale. 


Interoperability and Compatibility Risk

The main risk here is that the proposal doesn't exactly match what Firefox has shipped. The key distinctions are:

1. This approach requires opt-in from the site, via a new `'report-sample'` expression in the relevant directive.

2. We're including inline style violations as well, and have renamed the property to the more generic `sample` accordingly.


I expect that we'll be able to work out these risks as part of the specification process, and will align our implementations to whatever we agree upon.


Edge: No signals.

Firefox: Shipped.

Safari: No signals.

Web developers: Positive.


Ongoing technical constraints

None.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes.


OWP launch tracking bug

https://crbug.com/606774

Link to entry on the feature dashboard

https://www.chromestatus.com/feature/5792234276388864


Requesting approval to ship?

No.


-mike

Reply all
Reply to author
Forward
0 new messages